001package gov.nist.secauto.oscal.lib.model; 002 003import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValue; 004import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValues; 005import gov.nist.secauto.metaschema.binding.model.annotations.AssemblyConstraints; 006import gov.nist.secauto.metaschema.binding.model.annotations.BoundAssembly; 007import gov.nist.secauto.metaschema.binding.model.annotations.BoundField; 008import gov.nist.secauto.metaschema.binding.model.annotations.BoundFieldValue; 009import gov.nist.secauto.metaschema.binding.model.annotations.GroupAs; 010import gov.nist.secauto.metaschema.binding.model.annotations.IsUnique; 011import gov.nist.secauto.metaschema.binding.model.annotations.KeyField; 012import gov.nist.secauto.metaschema.binding.model.annotations.MetaschemaAssembly; 013import gov.nist.secauto.metaschema.binding.model.annotations.ValueConstraints; 014import gov.nist.secauto.metaschema.model.common.JsonGroupAsBehavior; 015import gov.nist.secauto.metaschema.model.common.constraint.IConstraint; 016import gov.nist.secauto.metaschema.model.common.datatype.adapter.DateAdapter; 017import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultiline; 018import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultilineAdapter; 019import gov.nist.secauto.metaschema.model.common.datatype.object.Date; 020import gov.nist.secauto.metaschema.model.common.util.ObjectUtils; 021import java.lang.Override; 022import java.lang.String; 023import java.util.LinkedList; 024import java.util.List; 025import org.apache.commons.lang3.builder.MultilineRecursiveToStringStyle; 026import org.apache.commons.lang3.builder.ReflectionToStringBuilder; 027 028/** 029 * Contains the characteristics of the system, such as its name, purpose, and security impact level. 030 */ 031@MetaschemaAssembly( 032 formalName = "System Characteristics", 033 description = "Contains the characteristics of the system, such as its name, purpose, and security impact level.", 034 name = "system-characteristics", 035 metaschema = OscalSspMetaschema.class 036) 037@ValueConstraints( 038 allowedValues = { 039 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = {@AllowedValue(value = "identity-assurance-level", description = "A value of 1, 2, or 3 as defined by [SP 800-63-3](https://doi.org/10.6028/NIST.SP.800-63-3)."), @AllowedValue(value = "authenticator-assurance-level", description = "A value of 1, 2, or 3 as defined by [SP 800-63-3](https://doi.org/10.6028/NIST.SP.800-63-3)."), @AllowedValue(value = "federation-assurance-level", description = "A value of 1, 2, or 3 as defined by [SP 800-63-3](https://doi.org/10.6028/NIST.SP.800-63-3).")}), 040 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[@name=('identity-assurance-level','authenticator-assurance-level','federation-assurance-level')]/@value", values = {@AllowedValue(value = "1", description = "As defined by [SP 800-63-3](https://doi.org/10.6028/NIST.SP.800-63-3)."), @AllowedValue(value = "2", description = "As defined by [SP 800-63-3](https://doi.org/10.6028/NIST.SP.800-63-3)."), @AllowedValue(value = "3", description = "As defined by [SP 800-63-3](https://doi.org/10.6028/NIST.SP.800-63-3).")}), 041 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = {@AllowedValue(value = "cloud-deployment-model", description = "The associated value is one of: public-cloud, private-cloud, community-cloud, government-only-cloud, hybrid-cloud, or other."), @AllowedValue(value = "cloud-service-model", description = "The associated value is one of: saas, paas, iaas, or other.")}), 042 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='cloud-deployment-model']/@value", values = {@AllowedValue(value = "public-cloud", description = "The public cloud deployment model as defined by [The NIST Definition of Cloud Computing](https://doi.org/10.6028/NIST.SP.800-145)."), @AllowedValue(value = "private-cloud", description = "The private cloud deployment model as defined by [The NIST Definition of Cloud Computing](https://doi.org/10.6028/NIST.SP.800-145)."), @AllowedValue(value = "community-cloud", description = "The community cloud deployment model as defined by [The NIST Definition of Cloud Computing](https://doi.org/10.6028/NIST.SP.800-145)."), @AllowedValue(value = "hybrid-cloud", description = "The hybrid cloud deployment model as defined by [The NIST Definition of Cloud Computing](https://doi.org/10.6028/NIST.SP.800-145)."), @AllowedValue(value = "government-only-cloud", description = "A specific type of community-cloud for use only by government services."), @AllowedValue(value = "other", description = "Any other type of cloud deployment model that is exclusive to the other choices.")}, remarks = "The hybrid cloud deployment model, as defined by [The NIST Definition of Cloud Computing](https://doi.org/10.6028/NIST.SP.800-145), can be supported by selecting two or more of the existing deployment models."), 043 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='cloud-service-model']/@value", values = {@AllowedValue(value = "saas", description = "Software as a service (SaaS) cloud service model as defined by [The NIST Definition of Cloud Computing](https://doi.org/10.6028/NIST.SP.800-145)."), @AllowedValue(value = "paas", description = "Platform as a service (PaaS) cloud service model as defined by [The NIST Definition of Cloud Computing](https://doi.org/10.6028/NIST.SP.800-145)."), @AllowedValue(value = "iaas", description = "Infrastructure as a service (IaaS) cloud service model as defined by [The NIST Definition of Cloud Computing](https://doi.org/10.6028/NIST.SP.800-145)."), @AllowedValue(value = "other", description = "Any other type of cloud service model that is exclusive to the other choices.")}), 044 @AllowedValues(level = IConstraint.Level.ERROR, target = "responsible-party/@role-id", allowOthers = true, values = {@AllowedValue(value = "authorizing-official", description = "The authorizing official for this system."), @AllowedValue(value = "authorizing-official-poc", description = "The authorizing official's designated point of contact (POC) for this system."), @AllowedValue(value = "system-owner", description = "The executive ultimately accountable for the system."), @AllowedValue(value = "system-poc-management", description = "The primary management-level point of contact (POC) for the system."), @AllowedValue(value = "system-poc-technical", description = "The primary technical point of contact (POC) for the system."), @AllowedValue(value = "system-poc-other", description = "Other point of contact (POC) for the system that is not the management or technical POC."), @AllowedValue(value = "information-system-security-officer", description = "The primary role responsible for ensuring the organization operates the system securely."), @AllowedValue(value = "privacy-poc", description = "The point of contact (POC) responsible for identifying privacy information within the system, and ensuring its protection if present.")}) 045 } 046) 047@AssemblyConstraints( 048 isUnique = @IsUnique(id = "unique-ssp-system-characteristics-responsible-party", level = IConstraint.Level.ERROR, target = "responsible-party", keyFields = @KeyField(target = "@role-id"), remarks = "Since `responsible-party` associates multiple `party-uuid` entries with a single `role-id`, each role-id must be referenced only once.") 049) 050public class SystemCharacteristics { 051 @BoundField( 052 formalName = "System Identification", 053 description = "A [human-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this system identification property elsewhere in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope). When referencing an externally defined `system identification`, the `system identification` must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same system across revisions of the document.", 054 useName = "system-id", 055 minOccurs = 1, 056 maxOccurs = -1 057 ) 058 @GroupAs( 059 name = "system-ids", 060 inJson = JsonGroupAsBehavior.LIST 061 ) 062 private List<SystemId> _systemIds; 063 064 /** 065 * "The full name of the system." 066 */ 067 @BoundField( 068 formalName = "System Name - Full", 069 description = "The full name of the system.", 070 useName = "system-name", 071 minOccurs = 1 072 ) 073 private String _systemName; 074 075 /** 076 * "A short name for the system, such as an acronym, that is suitable for display in a data table or summary list." 077 */ 078 @BoundField( 079 formalName = "System Name - Short", 080 description = "A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.", 081 useName = "system-name-short", 082 remarks = "Since `system-name-short` is optional, if the `system-name-short` is not provided, the `system-name` can be used as a substitute." 083 ) 084 private String _systemNameShort; 085 086 /** 087 * "A summary of the system." 088 */ 089 @BoundField( 090 formalName = "System Description", 091 description = "A summary of the system.", 092 useName = "description", 093 minOccurs = 1 094 ) 095 @BoundFieldValue( 096 typeAdapter = MarkupMultilineAdapter.class 097 ) 098 private MarkupMultiline _description; 099 100 @BoundAssembly( 101 formalName = "Property", 102 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", 103 useName = "prop", 104 maxOccurs = -1 105 ) 106 @GroupAs( 107 name = "props", 108 inJson = JsonGroupAsBehavior.LIST 109 ) 110 private List<Property> _props; 111 112 @BoundAssembly( 113 formalName = "Link", 114 description = "A reference to a local or remote resource, that has a specific relation to the containing object.", 115 useName = "link", 116 maxOccurs = -1 117 ) 118 @GroupAs( 119 name = "links", 120 inJson = JsonGroupAsBehavior.LIST 121 ) 122 private List<Link> _links; 123 124 @BoundField( 125 formalName = "System Authorization Date", 126 description = "The date the system received its authorization.", 127 useName = "date-authorized" 128 ) 129 @BoundFieldValue( 130 typeAdapter = DateAdapter.class 131 ) 132 private Date _dateAuthorized; 133 134 /** 135 * "The overall information system sensitivity categorization, such as defined by <a href=\"https://doi.org/10.6028/NIST.FIPS.199\">FIPS-199</a>." 136 */ 137 @BoundField( 138 formalName = "Security Sensitivity Level", 139 description = "The overall information system sensitivity categorization, such as defined by [FIPS-199](https://doi.org/10.6028/NIST.FIPS.199).", 140 useName = "security-sensitivity-level", 141 remarks = "Often, organizations require the security sensitivity level to correspond with the highest confidentiality, integrity, or availability level identified by `security-impact-level`." 142 ) 143 private String _securitySensitivityLevel; 144 145 @BoundAssembly( 146 formalName = "System Information", 147 description = "Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in [NIST SP 800-60](https://doi.org/10.6028/NIST.SP.800-60v2r1).", 148 useName = "system-information", 149 minOccurs = 1 150 ) 151 private SystemInformation _systemInformation; 152 153 @BoundAssembly( 154 formalName = "Security Impact Level", 155 description = "The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.", 156 useName = "security-impact-level" 157 ) 158 private SecurityImpactLevel _securityImpactLevel; 159 160 @BoundAssembly( 161 formalName = "Status", 162 description = "Describes the operational status of the system.", 163 useName = "status", 164 minOccurs = 1 165 ) 166 private Status _status; 167 168 @BoundAssembly( 169 formalName = "Authorization Boundary", 170 description = "A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.", 171 useName = "authorization-boundary", 172 minOccurs = 1 173 ) 174 private AuthorizationBoundary _authorizationBoundary; 175 176 @BoundAssembly( 177 formalName = "Network Architecture", 178 description = "A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.", 179 useName = "network-architecture" 180 ) 181 private NetworkArchitecture _networkArchitecture; 182 183 @BoundAssembly( 184 formalName = "Data Flow", 185 description = "A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.", 186 useName = "data-flow" 187 ) 188 private DataFlow _dataFlow; 189 190 @BoundAssembly( 191 formalName = "Responsible Party", 192 description = "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.", 193 useName = "responsible-party", 194 maxOccurs = -1 195 ) 196 @GroupAs( 197 name = "responsible-parties", 198 inJson = JsonGroupAsBehavior.LIST 199 ) 200 private List<ResponsibleParty> _responsibleParties; 201 202 @BoundField( 203 formalName = "Remarks", 204 description = "Additional commentary about the containing object.", 205 useName = "remarks" 206 ) 207 @BoundFieldValue( 208 typeAdapter = MarkupMultilineAdapter.class 209 ) 210 private MarkupMultiline _remarks; 211 212 public SystemCharacteristics() { 213 } 214 215 public List<SystemId> getSystemIds() { 216 return _systemIds; 217 } 218 219 public void setSystemIds(List<SystemId> value) { 220 _systemIds = value; 221 } 222 223 /** 224 * Add a new {@link SystemId} item to the underlying collection. 225 * @param item the item to add 226 * @return {@code true} 227 */ 228 public boolean addSystemId(SystemId item) { 229 SystemId value = ObjectUtils.requireNonNull(item,"item cannot be null"); 230 if (_systemIds == null) { 231 _systemIds = new LinkedList<>(); 232 } 233 return _systemIds.add(value); 234 } 235 236 /** 237 * Remove the first matching {@link SystemId} item from the underlying collection. 238 * @param item the item to remove 239 * @return {@code true} if the item was removed or {@code false} otherwise 240 */ 241 public boolean removeSystemId(SystemId item) { 242 SystemId value = ObjectUtils.requireNonNull(item,"item cannot be null"); 243 return _systemIds == null ? false : _systemIds.remove(value); 244 } 245 246 public String getSystemName() { 247 return _systemName; 248 } 249 250 public void setSystemName(String value) { 251 _systemName = value; 252 } 253 254 public String getSystemNameShort() { 255 return _systemNameShort; 256 } 257 258 public void setSystemNameShort(String value) { 259 _systemNameShort = value; 260 } 261 262 public MarkupMultiline getDescription() { 263 return _description; 264 } 265 266 public void setDescription(MarkupMultiline value) { 267 _description = value; 268 } 269 270 public List<Property> getProps() { 271 return _props; 272 } 273 274 public void setProps(List<Property> value) { 275 _props = value; 276 } 277 278 /** 279 * Add a new {@link Property} item to the underlying collection. 280 * @param item the item to add 281 * @return {@code true} 282 */ 283 public boolean addProp(Property item) { 284 Property value = ObjectUtils.requireNonNull(item,"item cannot be null"); 285 if (_props == null) { 286 _props = new LinkedList<>(); 287 } 288 return _props.add(value); 289 } 290 291 /** 292 * Remove the first matching {@link Property} item from the underlying collection. 293 * @param item the item to remove 294 * @return {@code true} if the item was removed or {@code false} otherwise 295 */ 296 public boolean removeProp(Property item) { 297 Property value = ObjectUtils.requireNonNull(item,"item cannot be null"); 298 return _props == null ? false : _props.remove(value); 299 } 300 301 public List<Link> getLinks() { 302 return _links; 303 } 304 305 public void setLinks(List<Link> value) { 306 _links = value; 307 } 308 309 /** 310 * Add a new {@link Link} item to the underlying collection. 311 * @param item the item to add 312 * @return {@code true} 313 */ 314 public boolean addLink(Link item) { 315 Link value = ObjectUtils.requireNonNull(item,"item cannot be null"); 316 if (_links == null) { 317 _links = new LinkedList<>(); 318 } 319 return _links.add(value); 320 } 321 322 /** 323 * Remove the first matching {@link Link} item from the underlying collection. 324 * @param item the item to remove 325 * @return {@code true} if the item was removed or {@code false} otherwise 326 */ 327 public boolean removeLink(Link item) { 328 Link value = ObjectUtils.requireNonNull(item,"item cannot be null"); 329 return _links == null ? false : _links.remove(value); 330 } 331 332 public Date getDateAuthorized() { 333 return _dateAuthorized; 334 } 335 336 public void setDateAuthorized(Date value) { 337 _dateAuthorized = value; 338 } 339 340 public String getSecuritySensitivityLevel() { 341 return _securitySensitivityLevel; 342 } 343 344 public void setSecuritySensitivityLevel(String value) { 345 _securitySensitivityLevel = value; 346 } 347 348 public SystemInformation getSystemInformation() { 349 return _systemInformation; 350 } 351 352 public void setSystemInformation(SystemInformation value) { 353 _systemInformation = value; 354 } 355 356 public SecurityImpactLevel getSecurityImpactLevel() { 357 return _securityImpactLevel; 358 } 359 360 public void setSecurityImpactLevel(SecurityImpactLevel value) { 361 _securityImpactLevel = value; 362 } 363 364 public Status getStatus() { 365 return _status; 366 } 367 368 public void setStatus(Status value) { 369 _status = value; 370 } 371 372 public AuthorizationBoundary getAuthorizationBoundary() { 373 return _authorizationBoundary; 374 } 375 376 public void setAuthorizationBoundary(AuthorizationBoundary value) { 377 _authorizationBoundary = value; 378 } 379 380 public NetworkArchitecture getNetworkArchitecture() { 381 return _networkArchitecture; 382 } 383 384 public void setNetworkArchitecture(NetworkArchitecture value) { 385 _networkArchitecture = value; 386 } 387 388 public DataFlow getDataFlow() { 389 return _dataFlow; 390 } 391 392 public void setDataFlow(DataFlow value) { 393 _dataFlow = value; 394 } 395 396 public List<ResponsibleParty> getResponsibleParties() { 397 return _responsibleParties; 398 } 399 400 public void setResponsibleParties(List<ResponsibleParty> value) { 401 _responsibleParties = value; 402 } 403 404 /** 405 * Add a new {@link ResponsibleParty} item to the underlying collection. 406 * @param item the item to add 407 * @return {@code true} 408 */ 409 public boolean addResponsibleParty(ResponsibleParty item) { 410 ResponsibleParty value = ObjectUtils.requireNonNull(item,"item cannot be null"); 411 if (_responsibleParties == null) { 412 _responsibleParties = new LinkedList<>(); 413 } 414 return _responsibleParties.add(value); 415 } 416 417 /** 418 * Remove the first matching {@link ResponsibleParty} item from the underlying collection. 419 * @param item the item to remove 420 * @return {@code true} if the item was removed or {@code false} otherwise 421 */ 422 public boolean removeResponsibleParty(ResponsibleParty item) { 423 ResponsibleParty value = ObjectUtils.requireNonNull(item,"item cannot be null"); 424 return _responsibleParties == null ? false : _responsibleParties.remove(value); 425 } 426 427 public MarkupMultiline getRemarks() { 428 return _remarks; 429 } 430 431 public void setRemarks(MarkupMultiline value) { 432 _remarks = value; 433 } 434 435 @Override 436 public String toString() { 437 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString(); 438 } 439}