Source code

001package gov.nist.secauto.oscal.lib.model;
002
003import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValue;
004import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValues;
005import gov.nist.secauto.metaschema.binding.model.annotations.AssemblyConstraints;
006import gov.nist.secauto.metaschema.binding.model.annotations.BoundAssembly;
007import gov.nist.secauto.metaschema.binding.model.annotations.BoundField;
008import gov.nist.secauto.metaschema.binding.model.annotations.BoundFieldValue;
009import gov.nist.secauto.metaschema.binding.model.annotations.BoundFlag;
010import gov.nist.secauto.metaschema.binding.model.annotations.GroupAs;
011import gov.nist.secauto.metaschema.binding.model.annotations.IsUnique;
012import gov.nist.secauto.metaschema.binding.model.annotations.KeyField;
013import gov.nist.secauto.metaschema.binding.model.annotations.MetaschemaAssembly;
014import gov.nist.secauto.metaschema.binding.model.annotations.ValueConstraints;
015import gov.nist.secauto.metaschema.model.common.JsonGroupAsBehavior;
016import gov.nist.secauto.metaschema.model.common.constraint.IConstraint;
017import gov.nist.secauto.metaschema.model.common.datatype.adapter.UuidAdapter;
018import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultiline;
019import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultilineAdapter;
020import gov.nist.secauto.metaschema.model.common.util.ObjectUtils;
021import java.lang.Override;
022import java.lang.String;
023import java.util.LinkedList;
024import java.util.List;
025import java.util.UUID;
026import org.apache.commons.lang3.builder.MultilineRecursiveToStringStyle;
027import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
028
029/**
030 * An assessment plan, such as those provided by a FedRAMP assessor.
031 */
032@MetaschemaAssembly(
033    formalName = "Security Assessment Plan (SAP)",
034    description = "An assessment plan, such as those provided by a FedRAMP assessor.",
035    name = "assessment-plan",
036    metaschema = OscalApMetaschema.class,
037    rootName = "assessment-plan"
038)
039public class AssessmentPlan extends AbstractOscalInstance {
040  @BoundFlag(
041      formalName = "Assessment Plan Universally Unique Identifier",
042      description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this assessment plan in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#ap-identifiers). The locally defined *UUID* of the `assessment plan` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.",
043      useName = "uuid",
044      required = true,
045      typeAdapter = UuidAdapter.class
046  )
047  private UUID _uuid;
048
049  @BoundAssembly(
050      formalName = "Document Metadata",
051      description = "Provides information about the containing document, and defines concepts that are shared across the document.",
052      useName = "metadata",
053      minOccurs = 1
054  )
055  private Metadata _metadata;
056
057  @BoundAssembly(
058      formalName = "Import System Security Plan",
059      description = "Used by the assessment plan and POA\\&M to import information about the system.",
060      useName = "import-ssp",
061      minOccurs = 1,
062      remarks = "Used by the SAP to import information about the system being assessed."
063  )
064  private ImportSsp _importSsp;
065
066  /**
067   * "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP."
068   */
069  @BoundAssembly(
070      formalName = "Local Definitions",
071      description = "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.",
072      useName = "local-definitions"
073  )
074  private LocalDefinitions _localDefinitions;
075
076  /**
077   * "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition."
078   */
079  @BoundAssembly(
080      formalName = "Assessment Plan Terms and Conditions",
081      description = "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.",
082      useName = "terms-and-conditions"
083  )
084  private TermsAndConditions _termsAndConditions;
085
086  @BoundAssembly(
087      formalName = "Reviewed Controls and Control Objectives",
088      description = "Identifies the controls being assessed and their control objectives.",
089      useName = "reviewed-controls",
090      minOccurs = 1
091  )
092  private ReviewedControls _reviewedControls;
093
094  @BoundAssembly(
095      formalName = "Subject of Assessment",
096      description = "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.",
097      useName = "assessment-subject",
098      maxOccurs = -1
099  )
100  @GroupAs(
101      name = "assessment-subjects",
102      inJson = JsonGroupAsBehavior.LIST
103  )
104  private List<AssessmentSubject> _assessmentSubjects;
105
106  @BoundAssembly(
107      formalName = "Assessment Assets",
108      description = "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.",
109      useName = "assessment-assets"
110  )
111  private AssessmentAssets _assessmentAssets;
112
113  @BoundAssembly(
114      formalName = "Task",
115      description = "Represents a scheduled event or milestone, which may be associated with a series of assessment actions.",
116      useName = "task",
117      maxOccurs = -1
118  )
119  @GroupAs(
120      name = "tasks",
121      inJson = JsonGroupAsBehavior.LIST
122  )
123  private List<Task> _tasks;
124
125  @BoundAssembly(
126      formalName = "Back matter",
127      description = "A collection of resources that may be referenced from within the OSCAL document instance.",
128      useName = "back-matter"
129  )
130  private BackMatter _backMatter;
131
132  public AssessmentPlan() {
133  }
134
135  public UUID getUuid() {
136    return _uuid;
137  }
138
139  public void setUuid(UUID value) {
140    _uuid = value;
141  }
142
143  public Metadata getMetadata() {
144    return _metadata;
145  }
146
147  public void setMetadata(Metadata value) {
148    _metadata = value;
149  }
150
151  public ImportSsp getImportSsp() {
152    return _importSsp;
153  }
154
155  public void setImportSsp(ImportSsp value) {
156    _importSsp = value;
157  }
158
159  public LocalDefinitions getLocalDefinitions() {
160    return _localDefinitions;
161  }
162
163  public void setLocalDefinitions(LocalDefinitions value) {
164    _localDefinitions = value;
165  }
166
167  public TermsAndConditions getTermsAndConditions() {
168    return _termsAndConditions;
169  }
170
171  public void setTermsAndConditions(TermsAndConditions value) {
172    _termsAndConditions = value;
173  }
174
175  public ReviewedControls getReviewedControls() {
176    return _reviewedControls;
177  }
178
179  public void setReviewedControls(ReviewedControls value) {
180    _reviewedControls = value;
181  }
182
183  public List<AssessmentSubject> getAssessmentSubjects() {
184    return _assessmentSubjects;
185  }
186
187  public void setAssessmentSubjects(List<AssessmentSubject> value) {
188    _assessmentSubjects = value;
189  }
190
191  /**
192   * Add a new {@link AssessmentSubject} item to the underlying collection.
193   * @param item the item to add
194   * @return {@code true}
195   */
196  public boolean addAssessmentSubject(AssessmentSubject item) {
197    AssessmentSubject value = ObjectUtils.requireNonNull(item,"item cannot be null");
198    if (_assessmentSubjects == null) {
199      _assessmentSubjects = new LinkedList<>();
200    }
201    return _assessmentSubjects.add(value);
202  }
203
204  /**
205   * Remove the first matching {@link AssessmentSubject} item from the underlying collection.
206   * @param item the item to remove
207   * @return {@code true} if the item was removed or {@code false} otherwise
208   */
209  public boolean removeAssessmentSubject(AssessmentSubject item) {
210    AssessmentSubject value = ObjectUtils.requireNonNull(item,"item cannot be null");
211    return _assessmentSubjects == null ? false : _assessmentSubjects.remove(value);
212  }
213
214  public AssessmentAssets getAssessmentAssets() {
215    return _assessmentAssets;
216  }
217
218  public void setAssessmentAssets(AssessmentAssets value) {
219    _assessmentAssets = value;
220  }
221
222  public List<Task> getTasks() {
223    return _tasks;
224  }
225
226  public void setTasks(List<Task> value) {
227    _tasks = value;
228  }
229
230  /**
231   * Add a new {@link Task} item to the underlying collection.
232   * @param item the item to add
233   * @return {@code true}
234   */
235  public boolean addTask(Task item) {
236    Task value = ObjectUtils.requireNonNull(item,"item cannot be null");
237    if (_tasks == null) {
238      _tasks = new LinkedList<>();
239    }
240    return _tasks.add(value);
241  }
242
243  /**
244   * Remove the first matching {@link Task} item from the underlying collection.
245   * @param item the item to remove
246   * @return {@code true} if the item was removed or {@code false} otherwise
247   */
248  public boolean removeTask(Task item) {
249    Task value = ObjectUtils.requireNonNull(item,"item cannot be null");
250    return _tasks == null ? false : _tasks.remove(value);
251  }
252
253  public BackMatter getBackMatter() {
254    return _backMatter;
255  }
256
257  public void setBackMatter(BackMatter value) {
258    _backMatter = value;
259  }
260
261  @Override
262  public String toString() {
263    return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
264  }
265
266  /**
267   * Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.
268   */
269  @MetaschemaAssembly(
270      formalName = "Assessment Plan Terms and Conditions",
271      description = "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.",
272      name = "terms-and-conditions",
273      metaschema = OscalApMetaschema.class
274  )
275  @ValueConstraints(
276      allowedValues = @AllowedValues(level = IConstraint.Level.ERROR, target = "part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = {@AllowedValue(value = "rules-of-engagement", description = "Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment."), @AllowedValue(value = "disclosures", description = "Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure."), @AllowedValue(value = "assessment-inclusions", description = "Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment."), @AllowedValue(value = "assessment-exclusions", description = "Defines any assessment activities which the system owner or authorizing official explicitly prohibits from being performed as part of the assessment."), @AllowedValue(value = "results-delivery", description = "Defines conditions related to the delivery of the assessment results, such as when to deliver, how, and to whom."), @AllowedValue(value = "assumptions", description = "Defines any supposition made by the assessor. Has child 'item' parts for each assumption."), @AllowedValue(value = "methodology", description = "An explanation of practices, procedures, and rules used in the course of the assessment.")})
277  )
278  public static class TermsAndConditions {
279    @BoundAssembly(
280        formalName = "Assessment Part",
281        description = "A partition of an assessment plan or results or a child of another part.",
282        useName = "part",
283        maxOccurs = -1
284    )
285    @GroupAs(
286        name = "parts",
287        inJson = JsonGroupAsBehavior.LIST
288    )
289    private List<AssessmentPart> _parts;
290
291    public TermsAndConditions() {
292    }
293
294    public List<AssessmentPart> getParts() {
295      return _parts;
296    }
297
298    public void setParts(List<AssessmentPart> value) {
299      _parts = value;
300    }
301
302    /**
303     * Add a new {@link AssessmentPart} item to the underlying collection.
304     * @param item the item to add
305     * @return {@code true}
306     */
307    public boolean addPart(AssessmentPart item) {
308      AssessmentPart value = ObjectUtils.requireNonNull(item,"item cannot be null");
309      if (_parts == null) {
310        _parts = new LinkedList<>();
311      }
312      return _parts.add(value);
313    }
314
315    /**
316     * Remove the first matching {@link AssessmentPart} item from the underlying collection.
317     * @param item the item to remove
318     * @return {@code true} if the item was removed or {@code false} otherwise
319     */
320    public boolean removePart(AssessmentPart item) {
321      AssessmentPart value = ObjectUtils.requireNonNull(item,"item cannot be null");
322      return _parts == null ? false : _parts.remove(value);
323    }
324
325    @Override
326    public String toString() {
327      return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
328    }
329  }
330
331  /**
332   * Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
333   */
334  @MetaschemaAssembly(
335      formalName = "Local Definitions",
336      description = "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.",
337      name = "local-definitions",
338      metaschema = OscalApMetaschema.class
339  )
340  @AssemblyConstraints(
341      isUnique = {
342          @IsUnique(id = "unique-ap-local-definitions-component", level = IConstraint.Level.ERROR, target = "component", keyFields = @KeyField(target = "@uuid"), remarks = "Since multiple `component` entries can be provided, each component must have a unique `uuid`."),
343          @IsUnique(id = "unique-ap-local-definitions-user", level = IConstraint.Level.ERROR, target = "user", keyFields = @KeyField(target = "@uuid"), remarks = "A given `uuid` must be assigned only once to a user.")
344      }
345  )
346  public static class LocalDefinitions {
347    @BoundAssembly(
348        formalName = "Component",
349        description = "A defined component that can be part of an implemented system.",
350        useName = "component",
351        maxOccurs = -1,
352        remarks = "Used to add any components, not defined via the System Security Plan (AR-\\>AP-\\>SSP)"
353    )
354    @GroupAs(
355        name = "components",
356        inJson = JsonGroupAsBehavior.LIST
357    )
358    private List<SystemComponent> _components;
359
360    @BoundAssembly(
361        formalName = "Inventory Item",
362        description = "A single managed inventory item within the system.",
363        useName = "inventory-item",
364        maxOccurs = -1,
365        remarks = "Used to add any inventory-items, not defined via the System Security Plan (AR-\\>AP-\\>SSP)"
366    )
367    @GroupAs(
368        name = "inventory-items",
369        inJson = JsonGroupAsBehavior.LIST
370    )
371    private List<InventoryItem> _inventoryItems;
372
373    @BoundAssembly(
374        formalName = "System User",
375        description = "A type of user that interacts with the system based on an associated role.",
376        useName = "user",
377        maxOccurs = -1,
378        remarks = "Used to add any users, not defined via the System Security Plan (AR-\\>AP-\\>SSP)"
379    )
380    @GroupAs(
381        name = "users",
382        inJson = JsonGroupAsBehavior.LIST
383    )
384    private List<SystemUser> _users;
385
386    @BoundAssembly(
387        formalName = "Assessment-Specific Control Objective",
388        description = "A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.",
389        useName = "objectives-and-methods",
390        maxOccurs = -1
391    )
392    @GroupAs(
393        name = "objectives-and-methods",
394        inJson = JsonGroupAsBehavior.LIST
395    )
396    private List<LocalObjective> _objectivesAndMethods;
397
398    @BoundAssembly(
399        formalName = "Activity",
400        description = "Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.",
401        useName = "activity",
402        maxOccurs = -1
403    )
404    @GroupAs(
405        name = "activities",
406        inJson = JsonGroupAsBehavior.LIST
407    )
408    private List<Activity> _activities;
409
410    @BoundField(
411        formalName = "Remarks",
412        description = "Additional commentary about the containing object.",
413        useName = "remarks"
414    )
415    @BoundFieldValue(
416        typeAdapter = MarkupMultilineAdapter.class
417    )
418    private MarkupMultiline _remarks;
419
420    public LocalDefinitions() {
421    }
422
423    public List<SystemComponent> getComponents() {
424      return _components;
425    }
426
427    public void setComponents(List<SystemComponent> value) {
428      _components = value;
429    }
430
431    /**
432     * Add a new {@link SystemComponent} item to the underlying collection.
433     * @param item the item to add
434     * @return {@code true}
435     */
436    public boolean addComponent(SystemComponent item) {
437      SystemComponent value = ObjectUtils.requireNonNull(item,"item cannot be null");
438      if (_components == null) {
439        _components = new LinkedList<>();
440      }
441      return _components.add(value);
442    }
443
444    /**
445     * Remove the first matching {@link SystemComponent} item from the underlying collection.
446     * @param item the item to remove
447     * @return {@code true} if the item was removed or {@code false} otherwise
448     */
449    public boolean removeComponent(SystemComponent item) {
450      SystemComponent value = ObjectUtils.requireNonNull(item,"item cannot be null");
451      return _components == null ? false : _components.remove(value);
452    }
453
454    public List<InventoryItem> getInventoryItems() {
455      return _inventoryItems;
456    }
457
458    public void setInventoryItems(List<InventoryItem> value) {
459      _inventoryItems = value;
460    }
461
462    /**
463     * Add a new {@link InventoryItem} item to the underlying collection.
464     * @param item the item to add
465     * @return {@code true}
466     */
467    public boolean addInventoryItem(InventoryItem item) {
468      InventoryItem value = ObjectUtils.requireNonNull(item,"item cannot be null");
469      if (_inventoryItems == null) {
470        _inventoryItems = new LinkedList<>();
471      }
472      return _inventoryItems.add(value);
473    }
474
475    /**
476     * Remove the first matching {@link InventoryItem} item from the underlying collection.
477     * @param item the item to remove
478     * @return {@code true} if the item was removed or {@code false} otherwise
479     */
480    public boolean removeInventoryItem(InventoryItem item) {
481      InventoryItem value = ObjectUtils.requireNonNull(item,"item cannot be null");
482      return _inventoryItems == null ? false : _inventoryItems.remove(value);
483    }
484
485    public List<SystemUser> getUsers() {
486      return _users;
487    }
488
489    public void setUsers(List<SystemUser> value) {
490      _users = value;
491    }
492
493    /**
494     * Add a new {@link SystemUser} item to the underlying collection.
495     * @param item the item to add
496     * @return {@code true}
497     */
498    public boolean addUser(SystemUser item) {
499      SystemUser value = ObjectUtils.requireNonNull(item,"item cannot be null");
500      if (_users == null) {
501        _users = new LinkedList<>();
502      }
503      return _users.add(value);
504    }
505
506    /**
507     * Remove the first matching {@link SystemUser} item from the underlying collection.
508     * @param item the item to remove
509     * @return {@code true} if the item was removed or {@code false} otherwise
510     */
511    public boolean removeUser(SystemUser item) {
512      SystemUser value = ObjectUtils.requireNonNull(item,"item cannot be null");
513      return _users == null ? false : _users.remove(value);
514    }
515
516    public List<LocalObjective> getObjectivesAndMethods() {
517      return _objectivesAndMethods;
518    }
519
520    public void setObjectivesAndMethods(List<LocalObjective> value) {
521      _objectivesAndMethods = value;
522    }
523
524    /**
525     * Add a new {@link LocalObjective} item to the underlying collection.
526     * @param item the item to add
527     * @return {@code true}
528     */
529    public boolean addObjectivesAndMethods(LocalObjective item) {
530      LocalObjective value = ObjectUtils.requireNonNull(item,"item cannot be null");
531      if (_objectivesAndMethods == null) {
532        _objectivesAndMethods = new LinkedList<>();
533      }
534      return _objectivesAndMethods.add(value);
535    }
536
537    /**
538     * Remove the first matching {@link LocalObjective} item from the underlying collection.
539     * @param item the item to remove
540     * @return {@code true} if the item was removed or {@code false} otherwise
541     */
542    public boolean removeObjectivesAndMethods(LocalObjective item) {
543      LocalObjective value = ObjectUtils.requireNonNull(item,"item cannot be null");
544      return _objectivesAndMethods == null ? false : _objectivesAndMethods.remove(value);
545    }
546
547    public List<Activity> getActivities() {
548      return _activities;
549    }
550
551    public void setActivities(List<Activity> value) {
552      _activities = value;
553    }
554
555    /**
556     * Add a new {@link Activity} item to the underlying collection.
557     * @param item the item to add
558     * @return {@code true}
559     */
560    public boolean addActivity(Activity item) {
561      Activity value = ObjectUtils.requireNonNull(item,"item cannot be null");
562      if (_activities == null) {
563        _activities = new LinkedList<>();
564      }
565      return _activities.add(value);
566    }
567
568    /**
569     * Remove the first matching {@link Activity} item from the underlying collection.
570     * @param item the item to remove
571     * @return {@code true} if the item was removed or {@code false} otherwise
572     */
573    public boolean removeActivity(Activity item) {
574      Activity value = ObjectUtils.requireNonNull(item,"item cannot be null");
575      return _activities == null ? false : _activities.remove(value);
576    }
577
578    public MarkupMultiline getRemarks() {
579      return _remarks;
580    }
581
582    public void setRemarks(MarkupMultiline value) {
583      _remarks = value;
584    }
585
586    @Override
587    public String toString() {
588      return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
589    }
590  }
591}