View Javadoc
1   package gov.nist.secauto.oscal.lib.model;
2   
3   import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValue;
4   import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValues;
5   import gov.nist.secauto.metaschema.binding.model.annotations.AssemblyConstraints;
6   import gov.nist.secauto.metaschema.binding.model.annotations.BoundAssembly;
7   import gov.nist.secauto.metaschema.binding.model.annotations.BoundField;
8   import gov.nist.secauto.metaschema.binding.model.annotations.BoundFieldValue;
9   import gov.nist.secauto.metaschema.binding.model.annotations.BoundFlag;
10  import gov.nist.secauto.metaschema.binding.model.annotations.GroupAs;
11  import gov.nist.secauto.metaschema.binding.model.annotations.IsUnique;
12  import gov.nist.secauto.metaschema.binding.model.annotations.KeyField;
13  import gov.nist.secauto.metaschema.binding.model.annotations.MetaschemaAssembly;
14  import gov.nist.secauto.metaschema.binding.model.annotations.ValueConstraints;
15  import gov.nist.secauto.metaschema.model.common.JsonGroupAsBehavior;
16  import gov.nist.secauto.metaschema.model.common.constraint.IConstraint;
17  import gov.nist.secauto.metaschema.model.common.datatype.adapter.UuidAdapter;
18  import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultiline;
19  import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultilineAdapter;
20  import gov.nist.secauto.metaschema.model.common.util.ObjectUtils;
21  import java.lang.Override;
22  import java.lang.String;
23  import java.util.LinkedList;
24  import java.util.List;
25  import java.util.UUID;
26  import org.apache.commons.lang3.builder.MultilineRecursiveToStringStyle;
27  import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
28  
29  /**
30   * An assessment plan, such as those provided by a FedRAMP assessor.
31   */
32  @MetaschemaAssembly(
33      formalName = "Security Assessment Plan (SAP)",
34      description = "An assessment plan, such as those provided by a FedRAMP assessor.",
35      name = "assessment-plan",
36      metaschema = OscalApMetaschema.class,
37      rootName = "assessment-plan"
38  )
39  public class AssessmentPlan extends AbstractOscalInstance {
40    @BoundFlag(
41        formalName = "Assessment Plan Universally Unique Identifier",
42        description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this assessment plan in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#ap-identifiers). The locally defined *UUID* of the `assessment plan` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.",
43        useName = "uuid",
44        required = true,
45        typeAdapter = UuidAdapter.class
46    )
47    private UUID _uuid;
48  
49    @BoundAssembly(
50        formalName = "Document Metadata",
51        description = "Provides information about the containing document, and defines concepts that are shared across the document.",
52        useName = "metadata",
53        minOccurs = 1
54    )
55    private Metadata _metadata;
56  
57    @BoundAssembly(
58        formalName = "Import System Security Plan",
59        description = "Used by the assessment plan and POA\\&M to import information about the system.",
60        useName = "import-ssp",
61        minOccurs = 1,
62        remarks = "Used by the SAP to import information about the system being assessed."
63    )
64    private ImportSsp _importSsp;
65  
66    /**
67     * "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP."
68     */
69    @BoundAssembly(
70        formalName = "Local Definitions",
71        description = "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.",
72        useName = "local-definitions"
73    )
74    private LocalDefinitions _localDefinitions;
75  
76    /**
77     * "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition."
78     */
79    @BoundAssembly(
80        formalName = "Assessment Plan Terms and Conditions",
81        description = "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.",
82        useName = "terms-and-conditions"
83    )
84    private TermsAndConditions _termsAndConditions;
85  
86    @BoundAssembly(
87        formalName = "Reviewed Controls and Control Objectives",
88        description = "Identifies the controls being assessed and their control objectives.",
89        useName = "reviewed-controls",
90        minOccurs = 1
91    )
92    private ReviewedControls _reviewedControls;
93  
94    @BoundAssembly(
95        formalName = "Subject of Assessment",
96        description = "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.",
97        useName = "assessment-subject",
98        maxOccurs = -1
99    )
100   @GroupAs(
101       name = "assessment-subjects",
102       inJson = JsonGroupAsBehavior.LIST
103   )
104   private List<AssessmentSubject> _assessmentSubjects;
105 
106   @BoundAssembly(
107       formalName = "Assessment Assets",
108       description = "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.",
109       useName = "assessment-assets"
110   )
111   private AssessmentAssets _assessmentAssets;
112 
113   @BoundAssembly(
114       formalName = "Task",
115       description = "Represents a scheduled event or milestone, which may be associated with a series of assessment actions.",
116       useName = "task",
117       maxOccurs = -1
118   )
119   @GroupAs(
120       name = "tasks",
121       inJson = JsonGroupAsBehavior.LIST
122   )
123   private List<Task> _tasks;
124 
125   @BoundAssembly(
126       formalName = "Back matter",
127       description = "A collection of resources that may be referenced from within the OSCAL document instance.",
128       useName = "back-matter"
129   )
130   private BackMatter _backMatter;
131 
132   public AssessmentPlan() {
133   }
134 
135   public UUID getUuid() {
136     return _uuid;
137   }
138 
139   public void setUuid(UUID value) {
140     _uuid = value;
141   }
142 
143   public Metadata getMetadata() {
144     return _metadata;
145   }
146 
147   public void setMetadata(Metadata value) {
148     _metadata = value;
149   }
150 
151   public ImportSsp getImportSsp() {
152     return _importSsp;
153   }
154 
155   public void setImportSsp(ImportSsp value) {
156     _importSsp = value;
157   }
158 
159   public LocalDefinitions getLocalDefinitions() {
160     return _localDefinitions;
161   }
162 
163   public void setLocalDefinitions(LocalDefinitions value) {
164     _localDefinitions = value;
165   }
166 
167   public TermsAndConditions getTermsAndConditions() {
168     return _termsAndConditions;
169   }
170 
171   public void setTermsAndConditions(TermsAndConditions value) {
172     _termsAndConditions = value;
173   }
174 
175   public ReviewedControls getReviewedControls() {
176     return _reviewedControls;
177   }
178 
179   public void setReviewedControls(ReviewedControls value) {
180     _reviewedControls = value;
181   }
182 
183   public List<AssessmentSubject> getAssessmentSubjects() {
184     return _assessmentSubjects;
185   }
186 
187   public void setAssessmentSubjects(List<AssessmentSubject> value) {
188     _assessmentSubjects = value;
189   }
190 
191   /**
192    * Add a new {@link AssessmentSubject} item to the underlying collection.
193    * @param item the item to add
194    * @return {@code true}
195    */
196   public boolean addAssessmentSubject(AssessmentSubject item) {
197     AssessmentSubject value = ObjectUtils.requireNonNull(item,"item cannot be null");
198     if (_assessmentSubjects == null) {
199       _assessmentSubjects = new LinkedList<>();
200     }
201     return _assessmentSubjects.add(value);
202   }
203 
204   /**
205    * Remove the first matching {@link AssessmentSubject} item from the underlying collection.
206    * @param item the item to remove
207    * @return {@code true} if the item was removed or {@code false} otherwise
208    */
209   public boolean removeAssessmentSubject(AssessmentSubject item) {
210     AssessmentSubject value = ObjectUtils.requireNonNull(item,"item cannot be null");
211     return _assessmentSubjects == null ? false : _assessmentSubjects.remove(value);
212   }
213 
214   public AssessmentAssets getAssessmentAssets() {
215     return _assessmentAssets;
216   }
217 
218   public void setAssessmentAssets(AssessmentAssets value) {
219     _assessmentAssets = value;
220   }
221 
222   public List<Task> getTasks() {
223     return _tasks;
224   }
225 
226   public void setTasks(List<Task> value) {
227     _tasks = value;
228   }
229 
230   /**
231    * Add a new {@link Task} item to the underlying collection.
232    * @param item the item to add
233    * @return {@code true}
234    */
235   public boolean addTask(Task item) {
236     Task value = ObjectUtils.requireNonNull(item,"item cannot be null");
237     if (_tasks == null) {
238       _tasks = new LinkedList<>();
239     }
240     return _tasks.add(value);
241   }
242 
243   /**
244    * Remove the first matching {@link Task} item from the underlying collection.
245    * @param item the item to remove
246    * @return {@code true} if the item was removed or {@code false} otherwise
247    */
248   public boolean removeTask(Task item) {
249     Task value = ObjectUtils.requireNonNull(item,"item cannot be null");
250     return _tasks == null ? false : _tasks.remove(value);
251   }
252 
253   public BackMatter getBackMatter() {
254     return _backMatter;
255   }
256 
257   public void setBackMatter(BackMatter value) {
258     _backMatter = value;
259   }
260 
261   @Override
262   public String toString() {
263     return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
264   }
265 
266   /**
267    * Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.
268    */
269   @MetaschemaAssembly(
270       formalName = "Assessment Plan Terms and Conditions",
271       description = "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.",
272       name = "terms-and-conditions",
273       metaschema = OscalApMetaschema.class
274   )
275   @ValueConstraints(
276       allowedValues = @AllowedValues(level = IConstraint.Level.ERROR, target = "part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = {@AllowedValue(value = "rules-of-engagement", description = "Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment."), @AllowedValue(value = "disclosures", description = "Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure."), @AllowedValue(value = "assessment-inclusions", description = "Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment."), @AllowedValue(value = "assessment-exclusions", description = "Defines any assessment activities which the system owner or authorizing official explicitly prohibits from being performed as part of the assessment."), @AllowedValue(value = "results-delivery", description = "Defines conditions related to the delivery of the assessment results, such as when to deliver, how, and to whom."), @AllowedValue(value = "assumptions", description = "Defines any supposition made by the assessor. Has child 'item' parts for each assumption."), @AllowedValue(value = "methodology", description = "An explanation of practices, procedures, and rules used in the course of the assessment.")})
277   )
278   public static class TermsAndConditions {
279     @BoundAssembly(
280         formalName = "Assessment Part",
281         description = "A partition of an assessment plan or results or a child of another part.",
282         useName = "part",
283         maxOccurs = -1
284     )
285     @GroupAs(
286         name = "parts",
287         inJson = JsonGroupAsBehavior.LIST
288     )
289     private List<AssessmentPart> _parts;
290 
291     public TermsAndConditions() {
292     }
293 
294     public List<AssessmentPart> getParts() {
295       return _parts;
296     }
297 
298     public void setParts(List<AssessmentPart> value) {
299       _parts = value;
300     }
301 
302     /**
303      * Add a new {@link AssessmentPart} item to the underlying collection.
304      * @param item the item to add
305      * @return {@code true}
306      */
307     public boolean addPart(AssessmentPart item) {
308       AssessmentPart value = ObjectUtils.requireNonNull(item,"item cannot be null");
309       if (_parts == null) {
310         _parts = new LinkedList<>();
311       }
312       return _parts.add(value);
313     }
314 
315     /**
316      * Remove the first matching {@link AssessmentPart} item from the underlying collection.
317      * @param item the item to remove
318      * @return {@code true} if the item was removed or {@code false} otherwise
319      */
320     public boolean removePart(AssessmentPart item) {
321       AssessmentPart value = ObjectUtils.requireNonNull(item,"item cannot be null");
322       return _parts == null ? false : _parts.remove(value);
323     }
324 
325     @Override
326     public String toString() {
327       return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
328     }
329   }
330 
331   /**
332    * Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
333    */
334   @MetaschemaAssembly(
335       formalName = "Local Definitions",
336       description = "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.",
337       name = "local-definitions",
338       metaschema = OscalApMetaschema.class
339   )
340   @AssemblyConstraints(
341       isUnique = {
342           @IsUnique(id = "unique-ap-local-definitions-component", level = IConstraint.Level.ERROR, target = "component", keyFields = @KeyField(target = "@uuid"), remarks = "Since multiple `component` entries can be provided, each component must have a unique `uuid`."),
343           @IsUnique(id = "unique-ap-local-definitions-user", level = IConstraint.Level.ERROR, target = "user", keyFields = @KeyField(target = "@uuid"), remarks = "A given `uuid` must be assigned only once to a user.")
344       }
345   )
346   public static class LocalDefinitions {
347     @BoundAssembly(
348         formalName = "Component",
349         description = "A defined component that can be part of an implemented system.",
350         useName = "component",
351         maxOccurs = -1,
352         remarks = "Used to add any components, not defined via the System Security Plan (AR-\\>AP-\\>SSP)"
353     )
354     @GroupAs(
355         name = "components",
356         inJson = JsonGroupAsBehavior.LIST
357     )
358     private List<SystemComponent> _components;
359 
360     @BoundAssembly(
361         formalName = "Inventory Item",
362         description = "A single managed inventory item within the system.",
363         useName = "inventory-item",
364         maxOccurs = -1,
365         remarks = "Used to add any inventory-items, not defined via the System Security Plan (AR-\\>AP-\\>SSP)"
366     )
367     @GroupAs(
368         name = "inventory-items",
369         inJson = JsonGroupAsBehavior.LIST
370     )
371     private List<InventoryItem> _inventoryItems;
372 
373     @BoundAssembly(
374         formalName = "System User",
375         description = "A type of user that interacts with the system based on an associated role.",
376         useName = "user",
377         maxOccurs = -1,
378         remarks = "Used to add any users, not defined via the System Security Plan (AR-\\>AP-\\>SSP)"
379     )
380     @GroupAs(
381         name = "users",
382         inJson = JsonGroupAsBehavior.LIST
383     )
384     private List<SystemUser> _users;
385 
386     @BoundAssembly(
387         formalName = "Assessment-Specific Control Objective",
388         description = "A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.",
389         useName = "objectives-and-methods",
390         maxOccurs = -1
391     )
392     @GroupAs(
393         name = "objectives-and-methods",
394         inJson = JsonGroupAsBehavior.LIST
395     )
396     private List<LocalObjective> _objectivesAndMethods;
397 
398     @BoundAssembly(
399         formalName = "Activity",
400         description = "Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.",
401         useName = "activity",
402         maxOccurs = -1
403     )
404     @GroupAs(
405         name = "activities",
406         inJson = JsonGroupAsBehavior.LIST
407     )
408     private List<Activity> _activities;
409 
410     @BoundField(
411         formalName = "Remarks",
412         description = "Additional commentary about the containing object.",
413         useName = "remarks"
414     )
415     @BoundFieldValue(
416         typeAdapter = MarkupMultilineAdapter.class
417     )
418     private MarkupMultiline _remarks;
419 
420     public LocalDefinitions() {
421     }
422 
423     public List<SystemComponent> getComponents() {
424       return _components;
425     }
426 
427     public void setComponents(List<SystemComponent> value) {
428       _components = value;
429     }
430 
431     /**
432      * Add a new {@link SystemComponent} item to the underlying collection.
433      * @param item the item to add
434      * @return {@code true}
435      */
436     public boolean addComponent(SystemComponent item) {
437       SystemComponent value = ObjectUtils.requireNonNull(item,"item cannot be null");
438       if (_components == null) {
439         _components = new LinkedList<>();
440       }
441       return _components.add(value);
442     }
443 
444     /**
445      * Remove the first matching {@link SystemComponent} item from the underlying collection.
446      * @param item the item to remove
447      * @return {@code true} if the item was removed or {@code false} otherwise
448      */
449     public boolean removeComponent(SystemComponent item) {
450       SystemComponent value = ObjectUtils.requireNonNull(item,"item cannot be null");
451       return _components == null ? false : _components.remove(value);
452     }
453 
454     public List<InventoryItem> getInventoryItems() {
455       return _inventoryItems;
456     }
457 
458     public void setInventoryItems(List<InventoryItem> value) {
459       _inventoryItems = value;
460     }
461 
462     /**
463      * Add a new {@link InventoryItem} item to the underlying collection.
464      * @param item the item to add
465      * @return {@code true}
466      */
467     public boolean addInventoryItem(InventoryItem item) {
468       InventoryItem value = ObjectUtils.requireNonNull(item,"item cannot be null");
469       if (_inventoryItems == null) {
470         _inventoryItems = new LinkedList<>();
471       }
472       return _inventoryItems.add(value);
473     }
474 
475     /**
476      * Remove the first matching {@link InventoryItem} item from the underlying collection.
477      * @param item the item to remove
478      * @return {@code true} if the item was removed or {@code false} otherwise
479      */
480     public boolean removeInventoryItem(InventoryItem item) {
481       InventoryItem value = ObjectUtils.requireNonNull(item,"item cannot be null");
482       return _inventoryItems == null ? false : _inventoryItems.remove(value);
483     }
484 
485     public List<SystemUser> getUsers() {
486       return _users;
487     }
488 
489     public void setUsers(List<SystemUser> value) {
490       _users = value;
491     }
492 
493     /**
494      * Add a new {@link SystemUser} item to the underlying collection.
495      * @param item the item to add
496      * @return {@code true}
497      */
498     public boolean addUser(SystemUser item) {
499       SystemUser value = ObjectUtils.requireNonNull(item,"item cannot be null");
500       if (_users == null) {
501         _users = new LinkedList<>();
502       }
503       return _users.add(value);
504     }
505 
506     /**
507      * Remove the first matching {@link SystemUser} item from the underlying collection.
508      * @param item the item to remove
509      * @return {@code true} if the item was removed or {@code false} otherwise
510      */
511     public boolean removeUser(SystemUser item) {
512       SystemUser value = ObjectUtils.requireNonNull(item,"item cannot be null");
513       return _users == null ? false : _users.remove(value);
514     }
515 
516     public List<LocalObjective> getObjectivesAndMethods() {
517       return _objectivesAndMethods;
518     }
519 
520     public void setObjectivesAndMethods(List<LocalObjective> value) {
521       _objectivesAndMethods = value;
522     }
523 
524     /**
525      * Add a new {@link LocalObjective} item to the underlying collection.
526      * @param item the item to add
527      * @return {@code true}
528      */
529     public boolean addObjectivesAndMethods(LocalObjective item) {
530       LocalObjective value = ObjectUtils.requireNonNull(item,"item cannot be null");
531       if (_objectivesAndMethods == null) {
532         _objectivesAndMethods = new LinkedList<>();
533       }
534       return _objectivesAndMethods.add(value);
535     }
536 
537     /**
538      * Remove the first matching {@link LocalObjective} item from the underlying collection.
539      * @param item the item to remove
540      * @return {@code true} if the item was removed or {@code false} otherwise
541      */
542     public boolean removeObjectivesAndMethods(LocalObjective item) {
543       LocalObjective value = ObjectUtils.requireNonNull(item,"item cannot be null");
544       return _objectivesAndMethods == null ? false : _objectivesAndMethods.remove(value);
545     }
546 
547     public List<Activity> getActivities() {
548       return _activities;
549     }
550 
551     public void setActivities(List<Activity> value) {
552       _activities = value;
553     }
554 
555     /**
556      * Add a new {@link Activity} item to the underlying collection.
557      * @param item the item to add
558      * @return {@code true}
559      */
560     public boolean addActivity(Activity item) {
561       Activity value = ObjectUtils.requireNonNull(item,"item cannot be null");
562       if (_activities == null) {
563         _activities = new LinkedList<>();
564       }
565       return _activities.add(value);
566     }
567 
568     /**
569      * Remove the first matching {@link Activity} item from the underlying collection.
570      * @param item the item to remove
571      * @return {@code true} if the item was removed or {@code false} otherwise
572      */
573     public boolean removeActivity(Activity item) {
574       Activity value = ObjectUtils.requireNonNull(item,"item cannot be null");
575       return _activities == null ? false : _activities.remove(value);
576     }
577 
578     public MarkupMultiline getRemarks() {
579       return _remarks;
580     }
581 
582     public void setRemarks(MarkupMultiline value) {
583       _remarks = value;
584     }
585 
586     @Override
587     public String toString() {
588       return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
589     }
590   }
591 }