1 package gov.nist.secauto.oscal.lib.model;
2
3 import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValue;
4 import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValues;
5 import gov.nist.secauto.metaschema.binding.model.annotations.AssemblyConstraints;
6 import gov.nist.secauto.metaschema.binding.model.annotations.BoundAssembly;
7 import gov.nist.secauto.metaschema.binding.model.annotations.BoundField;
8 import gov.nist.secauto.metaschema.binding.model.annotations.BoundFieldValue;
9 import gov.nist.secauto.metaschema.binding.model.annotations.BoundFlag;
10 import gov.nist.secauto.metaschema.binding.model.annotations.GroupAs;
11 import gov.nist.secauto.metaschema.binding.model.annotations.IsUnique;
12 import gov.nist.secauto.metaschema.binding.model.annotations.KeyField;
13 import gov.nist.secauto.metaschema.binding.model.annotations.MetaschemaAssembly;
14 import gov.nist.secauto.metaschema.binding.model.annotations.ValueConstraints;
15 import gov.nist.secauto.metaschema.model.common.JsonGroupAsBehavior;
16 import gov.nist.secauto.metaschema.model.common.constraint.IConstraint;
17 import gov.nist.secauto.metaschema.model.common.datatype.adapter.UuidAdapter;
18 import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultiline;
19 import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultilineAdapter;
20 import gov.nist.secauto.metaschema.model.common.util.ObjectUtils;
21 import java.lang.Override;
22 import java.lang.String;
23 import java.util.LinkedList;
24 import java.util.List;
25 import java.util.UUID;
26 import org.apache.commons.lang3.builder.MultilineRecursiveToStringStyle;
27 import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
28
29
30
31
32 @MetaschemaAssembly(
33 formalName = "Security Assessment Plan (SAP)",
34 description = "An assessment plan, such as those provided by a FedRAMP assessor.",
35 name = "assessment-plan",
36 metaschema = OscalApMetaschema.class,
37 rootName = "assessment-plan"
38 )
39 public class AssessmentPlan extends AbstractOscalInstance {
40 @BoundFlag(
41 formalName = "Assessment Plan Universally Unique Identifier",
42 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this assessment plan in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#ap-identifiers). The locally defined *UUID* of the `assessment plan` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.",
43 useName = "uuid",
44 required = true,
45 typeAdapter = UuidAdapter.class
46 )
47 private UUID _uuid;
48
49 @BoundAssembly(
50 formalName = "Document Metadata",
51 description = "Provides information about the containing document, and defines concepts that are shared across the document.",
52 useName = "metadata",
53 minOccurs = 1
54 )
55 private Metadata _metadata;
56
57 @BoundAssembly(
58 formalName = "Import System Security Plan",
59 description = "Used by the assessment plan and POA\\&M to import information about the system.",
60 useName = "import-ssp",
61 minOccurs = 1,
62 remarks = "Used by the SAP to import information about the system being assessed."
63 )
64 private ImportSsp _importSsp;
65
66
67
68
69 @BoundAssembly(
70 formalName = "Local Definitions",
71 description = "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.",
72 useName = "local-definitions"
73 )
74 private LocalDefinitions _localDefinitions;
75
76
77
78
79 @BoundAssembly(
80 formalName = "Assessment Plan Terms and Conditions",
81 description = "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.",
82 useName = "terms-and-conditions"
83 )
84 private TermsAndConditions _termsAndConditions;
85
86 @BoundAssembly(
87 formalName = "Reviewed Controls and Control Objectives",
88 description = "Identifies the controls being assessed and their control objectives.",
89 useName = "reviewed-controls",
90 minOccurs = 1
91 )
92 private ReviewedControls _reviewedControls;
93
94 @BoundAssembly(
95 formalName = "Subject of Assessment",
96 description = "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.",
97 useName = "assessment-subject",
98 maxOccurs = -1
99 )
100 @GroupAs(
101 name = "assessment-subjects",
102 inJson = JsonGroupAsBehavior.LIST
103 )
104 private List<AssessmentSubject> _assessmentSubjects;
105
106 @BoundAssembly(
107 formalName = "Assessment Assets",
108 description = "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.",
109 useName = "assessment-assets"
110 )
111 private AssessmentAssets _assessmentAssets;
112
113 @BoundAssembly(
114 formalName = "Task",
115 description = "Represents a scheduled event or milestone, which may be associated with a series of assessment actions.",
116 useName = "task",
117 maxOccurs = -1
118 )
119 @GroupAs(
120 name = "tasks",
121 inJson = JsonGroupAsBehavior.LIST
122 )
123 private List<Task> _tasks;
124
125 @BoundAssembly(
126 formalName = "Back matter",
127 description = "A collection of resources that may be referenced from within the OSCAL document instance.",
128 useName = "back-matter"
129 )
130 private BackMatter _backMatter;
131
132 public AssessmentPlan() {
133 }
134
135 public UUID getUuid() {
136 return _uuid;
137 }
138
139 public void setUuid(UUID value) {
140 _uuid = value;
141 }
142
143 public Metadata getMetadata() {
144 return _metadata;
145 }
146
147 public void setMetadata(Metadata value) {
148 _metadata = value;
149 }
150
151 public ImportSsp getImportSsp() {
152 return _importSsp;
153 }
154
155 public void setImportSsp(ImportSsp value) {
156 _importSsp = value;
157 }
158
159 public LocalDefinitions getLocalDefinitions() {
160 return _localDefinitions;
161 }
162
163 public void setLocalDefinitions(LocalDefinitions value) {
164 _localDefinitions = value;
165 }
166
167 public TermsAndConditions getTermsAndConditions() {
168 return _termsAndConditions;
169 }
170
171 public void setTermsAndConditions(TermsAndConditions value) {
172 _termsAndConditions = value;
173 }
174
175 public ReviewedControls getReviewedControls() {
176 return _reviewedControls;
177 }
178
179 public void setReviewedControls(ReviewedControls value) {
180 _reviewedControls = value;
181 }
182
183 public List<AssessmentSubject> getAssessmentSubjects() {
184 return _assessmentSubjects;
185 }
186
187 public void setAssessmentSubjects(List<AssessmentSubject> value) {
188 _assessmentSubjects = value;
189 }
190
191
192
193
194
195
196 public boolean addAssessmentSubject(AssessmentSubject item) {
197 AssessmentSubject value = ObjectUtils.requireNonNull(item,"item cannot be null");
198 if (_assessmentSubjects == null) {
199 _assessmentSubjects = new LinkedList<>();
200 }
201 return _assessmentSubjects.add(value);
202 }
203
204
205
206
207
208
209 public boolean removeAssessmentSubject(AssessmentSubject item) {
210 AssessmentSubject value = ObjectUtils.requireNonNull(item,"item cannot be null");
211 return _assessmentSubjects == null ? false : _assessmentSubjects.remove(value);
212 }
213
214 public AssessmentAssets getAssessmentAssets() {
215 return _assessmentAssets;
216 }
217
218 public void setAssessmentAssets(AssessmentAssets value) {
219 _assessmentAssets = value;
220 }
221
222 public List<Task> getTasks() {
223 return _tasks;
224 }
225
226 public void setTasks(List<Task> value) {
227 _tasks = value;
228 }
229
230
231
232
233
234
235 public boolean addTask(Task item) {
236 Task value = ObjectUtils.requireNonNull(item,"item cannot be null");
237 if (_tasks == null) {
238 _tasks = new LinkedList<>();
239 }
240 return _tasks.add(value);
241 }
242
243
244
245
246
247
248 public boolean removeTask(Task item) {
249 Task value = ObjectUtils.requireNonNull(item,"item cannot be null");
250 return _tasks == null ? false : _tasks.remove(value);
251 }
252
253 public BackMatter getBackMatter() {
254 return _backMatter;
255 }
256
257 public void setBackMatter(BackMatter value) {
258 _backMatter = value;
259 }
260
261 @Override
262 public String toString() {
263 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
264 }
265
266
267
268
269 @MetaschemaAssembly(
270 formalName = "Assessment Plan Terms and Conditions",
271 description = "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.",
272 name = "terms-and-conditions",
273 metaschema = OscalApMetaschema.class
274 )
275 @ValueConstraints(
276 allowedValues = @AllowedValues(level = IConstraint.Level.ERROR, target = "part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = {@AllowedValue(value = "rules-of-engagement", description = "Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment."), @AllowedValue(value = "disclosures", description = "Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure."), @AllowedValue(value = "assessment-inclusions", description = "Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment."), @AllowedValue(value = "assessment-exclusions", description = "Defines any assessment activities which the system owner or authorizing official explicitly prohibits from being performed as part of the assessment."), @AllowedValue(value = "results-delivery", description = "Defines conditions related to the delivery of the assessment results, such as when to deliver, how, and to whom."), @AllowedValue(value = "assumptions", description = "Defines any supposition made by the assessor. Has child 'item' parts for each assumption."), @AllowedValue(value = "methodology", description = "An explanation of practices, procedures, and rules used in the course of the assessment.")})
277 )
278 public static class TermsAndConditions {
279 @BoundAssembly(
280 formalName = "Assessment Part",
281 description = "A partition of an assessment plan or results or a child of another part.",
282 useName = "part",
283 maxOccurs = -1
284 )
285 @GroupAs(
286 name = "parts",
287 inJson = JsonGroupAsBehavior.LIST
288 )
289 private List<AssessmentPart> _parts;
290
291 public TermsAndConditions() {
292 }
293
294 public List<AssessmentPart> getParts() {
295 return _parts;
296 }
297
298 public void setParts(List<AssessmentPart> value) {
299 _parts = value;
300 }
301
302
303
304
305
306
307 public boolean addPart(AssessmentPart item) {
308 AssessmentPart value = ObjectUtils.requireNonNull(item,"item cannot be null");
309 if (_parts == null) {
310 _parts = new LinkedList<>();
311 }
312 return _parts.add(value);
313 }
314
315
316
317
318
319
320 public boolean removePart(AssessmentPart item) {
321 AssessmentPart value = ObjectUtils.requireNonNull(item,"item cannot be null");
322 return _parts == null ? false : _parts.remove(value);
323 }
324
325 @Override
326 public String toString() {
327 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
328 }
329 }
330
331
332
333
334 @MetaschemaAssembly(
335 formalName = "Local Definitions",
336 description = "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.",
337 name = "local-definitions",
338 metaschema = OscalApMetaschema.class
339 )
340 @AssemblyConstraints(
341 isUnique = {
342 @IsUnique(id = "unique-ap-local-definitions-component", level = IConstraint.Level.ERROR, target = "component", keyFields = @KeyField(target = "@uuid"), remarks = "Since multiple `component` entries can be provided, each component must have a unique `uuid`."),
343 @IsUnique(id = "unique-ap-local-definitions-user", level = IConstraint.Level.ERROR, target = "user", keyFields = @KeyField(target = "@uuid"), remarks = "A given `uuid` must be assigned only once to a user.")
344 }
345 )
346 public static class LocalDefinitions {
347 @BoundAssembly(
348 formalName = "Component",
349 description = "A defined component that can be part of an implemented system.",
350 useName = "component",
351 maxOccurs = -1,
352 remarks = "Used to add any components, not defined via the System Security Plan (AR-\\>AP-\\>SSP)"
353 )
354 @GroupAs(
355 name = "components",
356 inJson = JsonGroupAsBehavior.LIST
357 )
358 private List<SystemComponent> _components;
359
360 @BoundAssembly(
361 formalName = "Inventory Item",
362 description = "A single managed inventory item within the system.",
363 useName = "inventory-item",
364 maxOccurs = -1,
365 remarks = "Used to add any inventory-items, not defined via the System Security Plan (AR-\\>AP-\\>SSP)"
366 )
367 @GroupAs(
368 name = "inventory-items",
369 inJson = JsonGroupAsBehavior.LIST
370 )
371 private List<InventoryItem> _inventoryItems;
372
373 @BoundAssembly(
374 formalName = "System User",
375 description = "A type of user that interacts with the system based on an associated role.",
376 useName = "user",
377 maxOccurs = -1,
378 remarks = "Used to add any users, not defined via the System Security Plan (AR-\\>AP-\\>SSP)"
379 )
380 @GroupAs(
381 name = "users",
382 inJson = JsonGroupAsBehavior.LIST
383 )
384 private List<SystemUser> _users;
385
386 @BoundAssembly(
387 formalName = "Assessment-Specific Control Objective",
388 description = "A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.",
389 useName = "objectives-and-methods",
390 maxOccurs = -1
391 )
392 @GroupAs(
393 name = "objectives-and-methods",
394 inJson = JsonGroupAsBehavior.LIST
395 )
396 private List<LocalObjective> _objectivesAndMethods;
397
398 @BoundAssembly(
399 formalName = "Activity",
400 description = "Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.",
401 useName = "activity",
402 maxOccurs = -1
403 )
404 @GroupAs(
405 name = "activities",
406 inJson = JsonGroupAsBehavior.LIST
407 )
408 private List<Activity> _activities;
409
410 @BoundField(
411 formalName = "Remarks",
412 description = "Additional commentary about the containing object.",
413 useName = "remarks"
414 )
415 @BoundFieldValue(
416 typeAdapter = MarkupMultilineAdapter.class
417 )
418 private MarkupMultiline _remarks;
419
420 public LocalDefinitions() {
421 }
422
423 public List<SystemComponent> getComponents() {
424 return _components;
425 }
426
427 public void setComponents(List<SystemComponent> value) {
428 _components = value;
429 }
430
431
432
433
434
435
436 public boolean addComponent(SystemComponent item) {
437 SystemComponent value = ObjectUtils.requireNonNull(item,"item cannot be null");
438 if (_components == null) {
439 _components = new LinkedList<>();
440 }
441 return _components.add(value);
442 }
443
444
445
446
447
448
449 public boolean removeComponent(SystemComponent item) {
450 SystemComponent value = ObjectUtils.requireNonNull(item,"item cannot be null");
451 return _components == null ? false : _components.remove(value);
452 }
453
454 public List<InventoryItem> getInventoryItems() {
455 return _inventoryItems;
456 }
457
458 public void setInventoryItems(List<InventoryItem> value) {
459 _inventoryItems = value;
460 }
461
462
463
464
465
466
467 public boolean addInventoryItem(InventoryItem item) {
468 InventoryItem value = ObjectUtils.requireNonNull(item,"item cannot be null");
469 if (_inventoryItems == null) {
470 _inventoryItems = new LinkedList<>();
471 }
472 return _inventoryItems.add(value);
473 }
474
475
476
477
478
479
480 public boolean removeInventoryItem(InventoryItem item) {
481 InventoryItem value = ObjectUtils.requireNonNull(item,"item cannot be null");
482 return _inventoryItems == null ? false : _inventoryItems.remove(value);
483 }
484
485 public List<SystemUser> getUsers() {
486 return _users;
487 }
488
489 public void setUsers(List<SystemUser> value) {
490 _users = value;
491 }
492
493
494
495
496
497
498 public boolean addUser(SystemUser item) {
499 SystemUser value = ObjectUtils.requireNonNull(item,"item cannot be null");
500 if (_users == null) {
501 _users = new LinkedList<>();
502 }
503 return _users.add(value);
504 }
505
506
507
508
509
510
511 public boolean removeUser(SystemUser item) {
512 SystemUser value = ObjectUtils.requireNonNull(item,"item cannot be null");
513 return _users == null ? false : _users.remove(value);
514 }
515
516 public List<LocalObjective> getObjectivesAndMethods() {
517 return _objectivesAndMethods;
518 }
519
520 public void setObjectivesAndMethods(List<LocalObjective> value) {
521 _objectivesAndMethods = value;
522 }
523
524
525
526
527
528
529 public boolean addObjectivesAndMethods(LocalObjective item) {
530 LocalObjective value = ObjectUtils.requireNonNull(item,"item cannot be null");
531 if (_objectivesAndMethods == null) {
532 _objectivesAndMethods = new LinkedList<>();
533 }
534 return _objectivesAndMethods.add(value);
535 }
536
537
538
539
540
541
542 public boolean removeObjectivesAndMethods(LocalObjective item) {
543 LocalObjective value = ObjectUtils.requireNonNull(item,"item cannot be null");
544 return _objectivesAndMethods == null ? false : _objectivesAndMethods.remove(value);
545 }
546
547 public List<Activity> getActivities() {
548 return _activities;
549 }
550
551 public void setActivities(List<Activity> value) {
552 _activities = value;
553 }
554
555
556
557
558
559
560 public boolean addActivity(Activity item) {
561 Activity value = ObjectUtils.requireNonNull(item,"item cannot be null");
562 if (_activities == null) {
563 _activities = new LinkedList<>();
564 }
565 return _activities.add(value);
566 }
567
568
569
570
571
572
573 public boolean removeActivity(Activity item) {
574 Activity value = ObjectUtils.requireNonNull(item,"item cannot be null");
575 return _activities == null ? false : _activities.remove(value);
576 }
577
578 public MarkupMultiline getRemarks() {
579 return _remarks;
580 }
581
582 public void setRemarks(MarkupMultiline value) {
583 _remarks = value;
584 }
585
586 @Override
587 public String toString() {
588 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
589 }
590 }
591 }