Assessment Results
XML Format Outline
Click the triangle next to any element to expand its structure. Element names link to their definitions below.
<assessment-results> [1]
@uuid [1]: uuid <metadata> [1 to 1]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><responsible-party> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [1 to ∞]<remarks/> [0 or 1]</responsible-party><action> [0 to ∞]
@uuid [1]: uuid @date [0 or 1]: date-time-with-timezone @type [1]: token @system [1]: uri <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><responsible-party> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [1 to ∞]<remarks/> [0 or 1]</responsible-party><remarks/> [0 or 1]</action><published/> [0 or 1]<last-modified/> [1]<version/> [1]<oscal-version/> [1]<document-id/> [0 to ∞]<remarks/> [0 or 1]<revision> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><published/> [0 or 1]<last-modified/> [0 or 1]<version/> [1]<oscal-version/> [0 or 1]<remarks/> [0 or 1]<title/> [0 or 1]</revision><role> [0 to ∞]
@id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 or 1]<title/> [1]<short-name/> [0 or 1]<description/> [0 or 1]</role><location> [0 to ∞]
@uuid [1]: uuid <address> [0 or 1]
</address><property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><email-address/> [0 to ∞]<telephone-number/> [0 to ∞]<remarks/> [0 or 1]<title/> [0 or 1]<url/> [0 to ∞]</location><party> [0 to ∞]
@uuid [1]: uuid @type [1]: string <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><email-address/> [0 to ∞]<telephone-number/> [0 to ∞]<remarks/> [0 or 1]<name/> [0 or 1]<short-name/> [0 or 1]<external-id/> [0 to ∞]<member-of-organization/> [0 to ∞]<address> [0 to ∞]
</address><location-uuid/> [0 to ∞]</party><title/> [1]</metadata><result> [1 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><reviewed-controls> [1 to 1]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<control-selection> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]</control-selection><control-objective-selection> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]</control-objective-selection><description/> [0 to 1]</reviewed-controls><observation> [0 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><origin> [0 to ∞]
<origin-actor> [1 to ∞]
@type [1]: token @actor-uuid [1]: uuid @role-id [0 or 1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property></origin-actor><related-task> [0 to ∞]
@task-uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><responsible-party> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [1 to ∞]<remarks/> [0 or 1]</responsible-party><assessment-subject> [0 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject><remarks/> [0 to 1]<identified-subject> [0 or 1]
@subject-placeholder-uuid [1]: uuid <assessment-subject> [1 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject></identified-subject></related-task></origin><subject-reference> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<title/> [0 to 1]</subject-reference><remarks/> [0 to 1]<relevant-evidence> [0 to ∞]
@href [0 or 1]: uri-reference <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [1 to 1]</relevant-evidence><title/> [0 to 1]<description/> [1 to 1]<method/> [1 to ∞]<type/> [0 to ∞]<collected/> [1 to 1]<expires/> [0 to 1]</observation><risk> [0 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><origin> [0 to ∞]
<origin-actor> [1 to ∞]
@type [1]: token @actor-uuid [1]: uuid @role-id [0 or 1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property></origin-actor><related-task> [0 to ∞]
@task-uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><responsible-party> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [1 to ∞]<remarks/> [0 or 1]</responsible-party><assessment-subject> [0 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject><remarks/> [0 to 1]<identified-subject> [0 or 1]
@subject-placeholder-uuid [1]: uuid <assessment-subject> [1 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject></identified-subject></related-task></origin><characterization> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><origin> [1]
<origin-actor> [1 to ∞]
@type [1]: token @actor-uuid [1]: uuid @role-id [0 or 1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property></origin-actor><related-task> [0 to ∞]
@task-uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><responsible-party> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [1 to ∞]<remarks/> [0 or 1]</responsible-party><assessment-subject> [0 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject><remarks/> [0 to 1]<identified-subject> [0 or 1]
@subject-placeholder-uuid [1]: uuid <assessment-subject> [1 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject></identified-subject></related-task></origin><facet> [1 to ∞]
@name [1]: token @system [1]: uri @value [1]: string <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 or 1]</facet></characterization><response> [0 to ∞]
@uuid [1]: uuid @lifecycle [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><origin> [0 to ∞]
<origin-actor> [1 to ∞]
@type [1]: token @actor-uuid [1]: uuid @role-id [0 or 1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property></origin-actor><related-task> [0 to ∞]
@task-uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><responsible-party> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [1 to ∞]<remarks/> [0 or 1]</responsible-party><assessment-subject> [0 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject><remarks/> [0 to 1]<identified-subject> [0 or 1]
@subject-placeholder-uuid [1]: uuid <assessment-subject> [1 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject></identified-subject></related-task></origin><task> [0 to ∞]
@uuid [1]: uuid @type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><task/> [0 to ∞]<assessment-subject> [0 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject><responsible-role> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [0 to ∞]<remarks/> [0 or 1]</responsible-role><remarks/> [0 to 1]<timing> [0 or 1]
<within-date-range> [1]
</within-date-range><at-frequency> [1]
</at-frequency></timing><associated-activity> [0 to ∞]
@activity-uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><responsible-role> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [0 to ∞]<remarks/> [0 or 1]</responsible-role><assessment-subject> [1 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject><remarks/> [0 to 1]</associated-activity><title/> [1]<description/> [0 to 1]</task><remarks/> [0 to 1]<required-asset> [0 to ∞]
@uuid [1]: uuid <subject-reference> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<title/> [0 to 1]</subject-reference><property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<title/> [0 to 1]<description/> [1 to 1]</required-asset><title/> [1 to 1]<description/> [1 to 1]</response><related-observation> [0 to ∞]
@observation-uuid [1]: uuid <remarks/> [0 to 1]</related-observation><risk-status/> [1]<threat-id/> [0 to ∞]<mitigating-factor> [0 to ∞]
@uuid [1]: uuid @implementation-uuid [0 or 1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><subject-reference> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<title/> [0 to 1]</subject-reference><description/> [1 to 1]</mitigating-factor><risk-log> [0 or 1]
<entry> [1 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><related-task> [0 to ∞]
@task-uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><responsible-party> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [1 to ∞]<remarks/> [0 or 1]</responsible-party><assessment-subject> [0 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject><remarks/> [0 to 1]<identified-subject> [0 or 1]
@subject-placeholder-uuid [1]: uuid <assessment-subject> [1 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject></identified-subject></related-task><remarks/> [0 to 1]<title/> [0 to 1]<description/> [0 to 1]<start/> [1 to 1]<end/> [0 to 1]</entry></risk-log><title/> [1 to 1]<description/> [1 to 1]<statement/> [1]<deadline/> [0 or 1]</risk><finding> [0 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><origin> [0 to ∞]
<origin-actor> [1 to ∞]
@type [1]: token @actor-uuid [1]: uuid @role-id [0 or 1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property></origin-actor><related-task> [0 to ∞]
@task-uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><responsible-party> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [1 to ∞]<remarks/> [0 or 1]</responsible-party><assessment-subject> [0 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject><remarks/> [0 to 1]<identified-subject> [0 or 1]
@subject-placeholder-uuid [1]: uuid <assessment-subject> [1 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject></identified-subject></related-task></origin><finding-target> [1]
@type [1]: string @target-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<title/> [0 to 1]<description/> [0 to 1]</finding-target><related-observation> [0 to ∞]
@observation-uuid [1]: uuid <remarks/> [0 to 1]</related-observation><remarks/> [0 to 1]<title/> [1]<description/> [1]<implementation-statement-uuid/> [0 to 1]</finding><remarks/> [0 to 1]<local-definitions> [0 or 1]
<local-objective> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><part> [1 to ∞]
@id [0 or 1]: token @name [1]: token @ns [0 or 1]: uri @class [0 or 1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><part/> [0 to ∞]<link> [0 to ∞]
</link><title/> [0 or 1]<prose/> [0 or 1]</part><remarks/> [0 to 1]<description/> [0 to 1]</local-objective><activity> [0 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><reviewed-controls> [0 or 1]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<control-selection> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]</control-selection><control-objective-selection> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]</control-objective-selection><description/> [0 to 1]</reviewed-controls><responsible-role> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [0 to ∞]<remarks/> [0 or 1]</responsible-role><remarks/> [0 to 1]<step> [0 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><reviewed-controls> [0 or 1]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<control-selection> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]</control-selection><control-objective-selection> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]</control-objective-selection><description/> [0 to 1]</reviewed-controls><responsible-role> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [0 to ∞]<remarks/> [0 or 1]</responsible-role><remarks/> [0 to 1]<title/> [0 to 1]<description/> [1 to 1]</step><title/> [0 to 1]<description/> [1 to 1]</activity><remarks/> [0 to 1]</local-definitions><attestation> [0 to ∞]
<responsible-party> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [1 to ∞]<remarks/> [0 or 1]</responsible-party><assessment-part> [1 to ∞]
@uuid [0 or 1]: uuid @name [1]: token @ns [0 or 1]: uri @class [0 or 1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><assessment-part/> [0 to ∞]<link> [0 to ∞]
</link><title/> [0 to 1]<prose/> [0 or 1]</assessment-part></attestation><assessment-log> [0 or 1]
<entry> [1 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><related-task> [0 to ∞]
@task-uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><responsible-party> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [1 to ∞]<remarks/> [0 or 1]</responsible-party><assessment-subject> [0 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject><remarks/> [0 to 1]<identified-subject> [0 or 1]
@subject-placeholder-uuid [1]: uuid <assessment-subject> [1 to ∞]
@type [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><select-subject-by-id> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]<select-subject-by-id> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]</select-subject-by-id></assessment-subject></identified-subject></related-task><remarks/> [0 to 1]<title/> [0 to 1]<description/> [0 to 1]<start/> [1 to 1]<end/> [0 to 1]</entry></assessment-log><title/> [1 to 1]<description/> [1 to 1]<start/> [1 to 1]<end/> [0 to 1]</result><back-matter> [0 to 1]
<resource> [0 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><document-id/> [0 to ∞]<remarks/> [0 or 1]<citation> [0 or 1]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><text/> [1]</citation><title/> [0 or 1]<description/> [0 or 1]<base64/> [0 or 1]</resource></back-matter><local-definitions> [0 or 1]
<local-objective> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><part> [1 to ∞]
@id [0 or 1]: token @name [1]: token @ns [0 or 1]: uri @class [0 or 1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><part/> [0 to ∞]<link> [0 to ∞]
</link><title/> [0 or 1]<prose/> [0 or 1]</part><remarks/> [0 to 1]<description/> [0 to 1]</local-objective><activity> [0 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><reviewed-controls> [0 or 1]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<control-selection> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]</control-selection><control-objective-selection> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]</control-objective-selection><description/> [0 to 1]</reviewed-controls><responsible-role> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [0 to ∞]<remarks/> [0 or 1]</responsible-role><remarks/> [0 to 1]<step> [0 to ∞]
@uuid [1]: uuid <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><reviewed-controls> [0 or 1]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<control-selection> [1 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]</control-selection><control-objective-selection> [0 to ∞]
<property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><remarks/> [0 to 1]<description/> [0 to 1]<include-all/> [1]</control-objective-selection><description/> [0 to 1]</reviewed-controls><responsible-role> [0 to ∞]
@role-id [1]: token <property> [0 to ∞]
@name [1]: token @uuid [0 or 1]: uuid @ns [0 or 1]: uri @value [1]: string @class [0 or 1]: token @group [0 or 1]: token <remarks/> [0 or 1]</property><link> [0 to ∞]
</link><party-uuid/> [0 to ∞]<remarks/> [0 or 1]</responsible-role><remarks/> [0 to 1]<title/> [0 to 1]<description/> [1 to 1]</step><title/> [0 to 1]<description/> [1 to 1]</activity><remarks/> [0 to 1]</local-definitions></assessment-results> <assessment-results> element root
DESCRIPTION Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (5)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<metadata> | assembly | [1 to 1] | Provides information about the containing document, and defines concepts that are shared across the document. |
<import-ap> | assembly | [1 to 1] | Used by assessment-results to import information about the original plan for assessing the system. |
<result> | assembly | [1 to ∞] | Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition. |
<back-matter> | assembly | [0 to 1] | A collection of resources that may be referenced from within the OSCAL document instance. |
<local-definitions> | assembly | [0 or 1] | Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP. |
Element Definitions (133)
<local-definitions> element
Local Definitions
Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
Child Elements (3)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<local-objective> | assembly | [0 to ∞] | A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions. |
<activity> | assembly | [0 to ∞] | Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<attestation> element
Attestation Statements
A set of textual statements, typically written by the assessor.
Child Elements (2)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<responsible-party> | assembly | [0 to ∞] | A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object. |
<assessment-part> | assembly | [1 to ∞] | A partition of an assessment plan or results or a child of another part. |
<title> field
Action Title
The title for this event.
<description> field
Action Description
A human-readable description of this event.
<start> field
Start
Identifies the start date and time of an event.
<end> field
End
Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.
<entry> element
Assessment Log Entry
Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (9)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<logged-by> | assembly | [0 to ∞] | Used to indicate who created a log entry in what role. |
<related-task> | assembly | [0 to ∞] | Identifies an individual task for which the containing object is a consequence of. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<title> | field | [0 to 1] | The title for this event. |
<description> | field | [0 to 1] | A human-readable description of this event. |
<start> | field | [1 to 1] | Identifies the start date and time of an event. |
<end> | field | [0 to 1] | Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time. |
<assessment-log> element
Assessment Log
A log of all assessment-related actions taken.
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<entry> | assembly | [1 to ∞] | Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results. |
<result> element
Assessment Result
Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (14)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<reviewed-controls> | assembly | [1 to 1] | Identifies the controls being assessed and their control objectives. |
<observation> | assembly | [0 to ∞] | Describes an individual observation. |
<risk> | assembly | [0 to ∞] | An identified risk. |
<finding> | assembly | [0 to ∞] | Describes an individual finding. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<local-definitions> | assembly | [0 or 1] | Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP. |
<attestation> | assembly | [0 to ∞] | A set of textual statements, typically written by the assessor. |
<assessment-log> | assembly | [0 or 1] | A log of all assessment-related actions taken. |
<title> | field | [1 to 1] | The title for this event. |
<description> | field | [1 to 1] | A human-readable description of this event. |
<start> | field | [1 to 1] | Identifies the start date and time of an event. |
<end> | field | [0 to 1] | Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time. |
<import-ap> element
Import Assessment Plan
Used by assessment-results to import information about the original plan for assessing the system.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ href | uri-reference | Yes | A resolvable URL reference to the assessment plan governing the assessment activities. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<revision> element
Revision History Entry
An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).
While published, last-modified, and oscal-version are not required, values for these entries should be provided if the information is known. A link with a rel of source
should be provided if the information is known.
Child Elements (8)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<published> | field | [0 or 1] | The date and time the document was last made available. |
<last-modified> | field | [0 or 1] | The date and time the document was last stored for later retrieval. |
<version> | field | [1] | Used to distinguish a specific revision of an OSCAL document from other previous and future versions. |
<oscal-version> | field | [0 or 1] | The OSCAL model version the document was authored against and will conform to as valid. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<title> | field | [0 or 1] | The title for this event. |
Constraints (1)
- allowed-values
for
link/@rel- canonical: The link identifies the authoritative location for this resource. Defined by RFC 6596.
- alternate: The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard
- predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
- successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
- version-history: This link identifies a resource containing the version history of this document. Defined by RFC 5829.
<short-name> field
Role Short Name
A short common name, abbreviation, or acronym for the party.
<role> element
Role
Defines a function, which might be assigned to a party in a specific situation.
Permissible values to be determined closer to the application (e.g. by a receiving authority).
OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ id | token | Yes | A unique identifier for the role. |
Child Elements (6)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<title> | field | [1] | The title for this event. |
<short-name> | field | [0 or 1] | A short common name, abbreviation, or acronym for the party. |
<description> | field | [0 or 1] | A human-readable description of this event. |
<url> field
Location URL
The uniform resource locator (URL) for a web site or other resource associated with the location.
This data field is deprecated in favor of using a link with an appropriate relationship.
<location> element
Location
A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.
An address might be sensitive in nature. In such cases a title, mailing address, email-address, and/or phone number may be used instead.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document. |
Child Elements (8)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<address> | assembly | [0 or 1] | A postal address for the location. |
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<email-address> | field | [0 to ∞] | An email address as defined by RFC 5322 Section 3.4.1. |
<telephone-number> | field | [0 to ∞] | A telephone service number as defined by ITU-T E.164. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<title> | field | [0 or 1] | The title for this event. |
<url> | field | [0 to ∞] | The uniform resource locator (URL) for a web site or other resource associated with the location. |
Constraints (3)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- type: Identifies the type of resource represented. The most specific appropriate type value SHOULD be used.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value- data-center: A location that contains computing assets. A
classcan be used to indicate the sub-type of data-center as primary or alternate.
- data-center: A location that contains computing assets. A
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type' and @value='data-center']/@class- primary: The location is a data-center used for normal operations.
- alternate: The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard
<name> field
Party Name
The full name of the party. This is typically the legal name associated with the party.
<external-id> field
Party External Identifier
An identifier for a person or organization using a designated
scheme. e.g. an Open Researcher and Contributor ID
(ORCID).
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ scheme | uri | Yes | Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters. |
<member-of-organization> field
Organizational Affiliation
A reference to another
party by UUID, typically an organization, that this subject is associated with. Since the reference target of an organizational affiliation must be another party (whether further qualified as person or organization) as indicated by its uuid. As a machine-oriented identifier with uniqueness across document and trans-document scope, this uuid value is sufficient to reference the data item locally or globally across related documents, e.g., in an imported OSCAL instance.
Parties of both the person or organization type can be associated with an organization using the member-of-organization.
<party> element
Party
An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.
A party can be optionally associated with either an address or a location. While providing a meaningful location for a party is desired, there are some cases where it might not be possible to provide an exact location or even any location.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document. |
@ type | string | Yes | Indicates the type of phone number. |
Child Elements (11)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<email-address> | field | [0 to ∞] | An email address as defined by RFC 5322 Section 3.4.1. |
<telephone-number> | field | [0 to ∞] | A telephone service number as defined by ITU-T E.164. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<name> | field | [0 or 1] | The full name of the party. This is typically the legal name associated with the party. |
<short-name> | field | [0 or 1] | A short common name, abbreviation, or acronym for the party. |
<external-id> | field | [0 to ∞] | An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID). |
<member-of-organization> | field | [0 to ∞] | A reference to another party by UUID, typically an organization, that this subject is associated with. |
<address> | assembly | [0 to ∞] | A postal address for the location. |
<location-uuid> | field | [0 to ∞] | Reference to a location by UUID. |
Constraints (1)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- mail-stop: A mail stop associated with the party.
- office: An office phone number.
- job-title: The formal job title of a person.
<metadata> element
Document Metadata
Provides information about the containing document, and defines concepts that are shared across the document.
All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.
The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.
A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.
A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.
Child Elements (15)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<responsible-party> | assembly | [0 to ∞] | A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object. |
<action> | assembly | [0 to ∞] | An action applied by a role within a given party to the content. |
<published> | field | [0 or 1] | The date and time the document was last made available. |
<last-modified> | field | [1] | The date and time the document was last stored for later retrieval. |
<version> | field | [1] | Used to distinguish a specific revision of an OSCAL document from other previous and future versions. |
<oscal-version> | field | [1] | The OSCAL model version the document was authored against and will conform to as valid. |
<document-id> | field | [0 to ∞] | A document identifier qualified by an identifier
scheme. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<revision> | assembly | [0 to ∞] | An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first). |
<role> | assembly | [0 to ∞] | Defines a function, which might be assigned to a party in a specific situation. |
<location> | assembly | [0 to ∞] | A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document. |
<party> | assembly | [0 to ∞] | An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document. |
<title> | field | [1] | The title for this event. |
Constraints (9)
- allowed-values
for
responsible-party/@role-id- creator: Indicates the person or organization that created this content.
- prepared-by: Indicates the person or organization that prepared this content.
- prepared-for: Indicates the person or organization for which this content was created.
- content-approver: Indicates the person or organization responsible for all content represented in the "document".
- contact: Indicates the person or organization to contact for questions or support related to this content.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- keywords: The value identifies a comma-seperated listing of keywords associated with this content. These keywords may be used as search terms for indexing and other applications.
- allowed-values
for
link/@rel- canonical: The link identifies the authoritative location for this resource. Defined by RFC 6596.
- alternate: The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard
- latest-version: This link identifies a resource containing the latest version in the version history. Defined by RFC 5829.
- predecessor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
- successor-version: This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829.
- index
for
roleIndex "index-metadata-role-ids" on role - index
for
.//propIndex "index-metadata-property-uuid" on .//prop - index
for
roleIndex "index-metadata-role-id" on role - index
for
locationIndex "index-metadata-location-uuid" on location - index
for
partyIndex "index-metadata-party-uuid" on party - index
for
party[@type='organization']Index "index-metadata-party-organizations-uuid" on party[@type='organization']
<text> field
Citation Text
A textual label to associate with the link, which may be used for presentation in a tool.
<citation> element
Citation
An optional citation consisting of end note text using structured markup.
Child Elements (3)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<text> | field | [1] | A textual label to associate with the link, which may be used for presentation in a tool. |
<rlink> element
Resource link
A URL-based pointer to an external resource with an optional hash for verification and change detection.
Multiple rlink objects can be included for a resource. In such a case, all provided rlink items are intended to be equivalent in content, but may differ in structure or format.
A media-type is used to identify the format of a given rlink, and can be used to differentiate items in a collection of rlinks. The media-type provides a hint to the OSCAL document consumer about the structure of the resource referenced by the rlink.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ href | uri-reference | Yes | A resolvable URL reference to a resource. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<hash> | field | [0 to ∞] | A representation of a cryptographic digest generated over a resource using a specified hash algorithm. |
<base64> field
Base64
A resource encoded using the Base64 alphabet defined by RFC 2045.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ filename | token | No | Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded. |
<resource> element
Resource
A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.
A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a rlink, or 2) it may be included as an attachment using a base64. A resource may contain multiple rlink and base64 entries that represent alternative download locations (rlink) and attachments (base64) for the same resource.
Both rlink and base64 allow for a media-type to be specified, which is used to distinguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiple rlink and base64 items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item's media-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.
When a resource includes a citation, then the title and citation properties must both be included.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document. |
Child Elements (8)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<document-id> | field | [0 to ∞] | A document identifier qualified by an identifier
scheme. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<citation> | assembly | [0 or 1] | An optional citation consisting of end note text using structured markup. |
<rlink> | assembly | [0 to ∞] | A URL-based pointer to an external resource with an optional hash for verification and change detection. |
<title> | field | [0 or 1] | The title for this event. |
<description> | field | [0 or 1] | A human-readable description of this event. |
<base64> | field | [0 or 1] | A resource encoded using the Base64 alphabet defined by RFC 2045. |
Constraints (3)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- type: Identifies the type of resource represented. The most specific appropriate type value SHOULD be used.
- version: For resources representing a published document, this represents the version number of that document.
- published: For resources representing a published document, this represents the publication date of that document.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value- logo: Indicates the resource is an organization's logo.
- image: Indicates the resource represents an image.
- screen-shot: Indicates the resource represents an image of screen content.
- law: Indicates the resource represents an applicable law.
- regulation: Indicates the resource represents an applicable regulation.
- standard: Indicates the resource represents an applicable standard.
- external-guidance: Indicates the resource represents applicable guidance.
- acronyms: Indicates the resource provides a list of relevant acronyms.
- citation: Indicates the resource cites relevant information.
- policy: Indicates the resource is a policy.
- procedure: Indicates the resource is a procedure.
- system-guide: Indicates the resource is guidance document related to the subject system of an SSP.
- users-guide: Indicates the resource is guidance document a user's guide or administrator's guide.
- administrators-guide: Indicates the resource is guidance document a administrator's guide.
- rules-of-behavior: Indicates the resource represents rules of behavior content.
- plan: Indicates the resource represents a plan.
- artifact: Indicates the resource represents an artifact, such as may be reviewed by an assessor.
- evidence: Indicates the resource represents evidence, such as to support an assessment finding.
- tool-output: Indicates the resource represents output from a tool.
- raw-data: Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation.
- interview-notes: Indicates the resource represents notes from an interview, such as may be collected during an assessment.
- questionnaire: Indicates the resource is a set of questions, possibly with responses.
- report: Indicates the resource is a report.
- agreement: Indicates the resource is a formal agreement between two or more parties.
- expect
for
.[citation]Test: title
<back-matter> element
Back matter
A collection of resources that may be referenced from within the OSCAL document instance.
Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<resource> | assembly | [0 to ∞] | A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources. |
Constraints (1)
- index
for
resourceIndex "index-back-matter-resource" on resource
<property> element
Property
An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.
Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.
Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ name | token | Yes | A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object. |
@ uuid | uuid | No | A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document. |
@ ns | uri | No | A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name. |
@ value | string | Yes | Indicates the value of the attribute, characteristic, or quality. |
@ class | token | No | A textual label that provides a sub-type or characterization of the
property's name. |
@ group | token | No | An identifier for relating distinct sets of properties. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
Constraints (1)
- allowed-values
for
.[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- marking: A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value.
<link> element
Link
A reference to a local or remote resource, that has a specific relation to the containing object.
To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.
The OSCAL link is a roughly based on the HTML link element.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ href | uri-reference | Yes | A resolvable URL reference to a resource. |
@ rel | token | No | Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose. |
@ resource-fragment | string | No | In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<text> | field | [0 or 1] | A textual label to associate with the link, which may be used for presentation in a tool. |
Constraints (1)
- expect
for
.[starts-with(@href,'#')]Test: not(exists(@media-type))
<responsible-party> element
Responsible Party
A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.
A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.
The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ role-id | token | Yes | A human-oriented identifier reference to a role performed. |
Child Elements (4)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<party-uuid> | field | [1 to ∞] | Reference to a party by UUID. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<action> element
Action
An action applied by a role within a given party to the content.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document. |
@ date | date-time-with-timezone | No | The date and time when the action occurred. |
@ type | token | Yes | Indicates the type of phone number. |
@ system | uri | Yes | Specifies the action type system used. |
Child Elements (4)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<responsible-party> | assembly | [0 to ∞] | A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
Constraints (2)
- allowed-values
for
./system/@value- http://csrc.nist.gov/ns/oscal: This value identifies action types defined in the NIST OSCAL namespace.
- allowed-values
for
./type[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@value- approval: An approval of a document instance's content.
- request-changes: A request from the responsible party or parties to change the content.
<responsible-role> element
Responsible Role
A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.
A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.
The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ role-id | token | Yes | A human-oriented identifier reference to a role performed. |
Child Elements (4)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<party-uuid> | field | [0 to ∞] | Reference to a party by UUID. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<city> field
City
City, town or geographical region for the mailing address.
<state> field
State
State, province or analogous geographical region for a mailing
address.
<postal-code> field
Postal Code
Postal or ZIP code for mailing address.
<country> field
Country Code
The ISO 3166-1 alpha-2 country code for the mailing address.
<address> element
Address
A postal address for the location.
Child Elements (5)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<addr-line> | field | [0 to ∞] | A single line of an address. |
<city> | field | [0 or 1] | City, town or geographical region for the mailing address. |
<state> | field | [0 or 1] | State, province or analogous geographical region for a mailing address. |
<postal-code> | field | [0 or 1] | Postal or ZIP code for mailing address. |
<country> | field | [0 or 1] | The ISO 3166-1 alpha-2 country code for the mailing address. |
<location-uuid> field
Location Universally Unique Identifier Reference
Reference to a location by UUID.
<party-uuid> field
Party Universally Unique Identifier Reference
Reference to a party by UUID.
<role-id> field
Role Identifier Reference
Reference to a role by UUID.
<hash> field
Hash
A representation of a cryptographic digest generated over a resource using a specified hash algorithm.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ algorithm | string | Yes | The digest method by which a hash is derived. |
<remarks> field
Remarks
Additional commentary about the containing object.
The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.
<published> field
Publication Timestamp
The date and time the document was last made available.
Typically, this date value will be machine-generated at the time the containing document is published.
In some cases, an OSCAL document may be derived from some source material provided in a different format. In such a case, the published value should indicate when the OSCAL document instance was last published, not the source material.
<last-modified> field
Last Modified Timestamp
The date and time the document was last stored for later retrieval.
This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification. Ideally, this field will be managed by the editing tool or service used to make modifications when storing the modified document.
The intent of the last modified timestamp is to distinguish between significant change milestones when the document may be accessed by multiple entities. This allows a given entity to differentiate between multiple document states at specific points in time. It is possible to make multiple modifications to the document without storing these changes. In such a case, the last modified timestamp might not be updated until the document is finally stored.
In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the last modification time of the OSCAL document instance, not the source material.
<version> field
Document Version
Used to distinguish a specific revision of an OSCAL document from other previous and future versions.
A version may be a release number, sequence number, date, or other identifier sufficient to distinguish between different document revisions.
While not required, it is recommended that OSCAL content authors use Semantic Versioning as the version format. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.
A version is typically set by the document owner or by the tool used to maintain the content.
<oscal-version> field
OSCAL Version
The OSCAL model version the document was authored against and will conform to as valid.
Indicates the version of the OSCAL model to which the document conforms, for example 1.1.0
or 1.0.0-milestone1
. That can be used as a hint for a tool indicating which version of the OSCAL XML or JSON schema to use for validation.
The OSCAL version serves a different purpose from the document version and is used to represent a different concept. If both have the same value, this is coincidental.
<email-address> field
Email Address
An email address as defined by RFC 5322 Section
3.4.1.
<telephone-number> field
Telephone Number
A telephone service number as defined by ITU-T E.164.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ type | string | No | Indicates the type of phone number. |
<addr-line> field
Address line
A single line of an address.
<document-id> field
Document Identifier
A document identifier qualified by an identifier
scheme. A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions, representations or digital surrogates of the same document.
A document identifier provides an additional data point for identifying a document that can be assigned by a publisher or organization for purposes in a wider system, such as a digital object identifier (DOI) or a local content management system identifier.
Use of a document identifier allows for document creators to associate sets of documents that are related in some way by the same document-id.
An OSCAL document always has an implicit document identifier provided by the document's UUID, defined by the uuid on the top-level object. Having a default UUID-based identifier ensures all documents can be minimally identified when other document identifiers are not provided.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ scheme | uri | No | Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters. |
<import-ssp> element
Import System Security Plan
Used by the assessment plan and POA&M to import information about the system.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ href | uri-reference | Yes | An optional location for the threat data, from which this ID originates. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<local-objective> element
Assessment-Specific Control Objective
A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.
Child Elements (5)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<part> | assembly | [1 to ∞] | An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<description> | field | [0 to 1] | A human-readable description of this event. |
Constraints (1)
- allowed-values
for
part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- objective: Describes a set of control objectives.
- assessment: **(deprecated)** Use 'assessment-method' instead.
- assessment-objective: The part defines an assessment objective.
- assessment-method: The part defines an assessment method.
<assessment-method> element
Assessment Method
A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (5)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<assessment-part> | assembly | [1 to 1] | A partition of an assessment plan or results or a child of another part. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<description> | field | [0 to 1] | A human-readable description of this event. |
<step> element
Step
Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (7)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<reviewed-controls> | assembly | [0 or 1] | Identifies the controls being assessed and their control objectives. |
<responsible-role> | assembly | [0 to ∞] | A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<title> | field | [0 to 1] | The title for this event. |
<description> | field | [1 to 1] | A human-readable description of this event. |
<activity> element
Activity
Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (8)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<reviewed-controls> | assembly | [0 or 1] | Identifies the controls being assessed and their control objectives. |
<responsible-role> | assembly | [0 to ∞] | A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<step> | assembly | [0 to ∞] | Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure. |
<title> | field | [0 to 1] | The title for this event. |
<description> | field | [1 to 1] | A human-readable description of this event. |
Constraints (2)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- method: The assessment method to use. This typically appears on parts with the name "objective".
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']/@value- INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
- EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
- TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
<on-date> element
On Date Condition
The task is intended to occur on the specified date.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ date | date-time-with-timezone | Yes | The task must occur on the specified date. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<within-date-range> element
On Date Range Condition
The task is intended to occur within the specified date range.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ start | date-time-with-timezone | Yes | The task must occur on or after the specified date. |
@ end | date-time-with-timezone | Yes | The task must occur on or before the specified date. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<at-frequency> element
Frequency Condition
The task is intended to occur at the specified frequency.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ period | positive-integer | Yes | The task must occur after the specified period has elapsed. |
@ unit | string | Yes | The unit of time for the period. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<timing> element
Event Timing
The timing under which the task is intended to occur.
Child Elements (3)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<on-date> | assembly | [1] | The task is intended to occur on the specified date. |
<within-date-range> | assembly | [1] | The task is intended to occur within the specified date range. |
<at-frequency> | assembly | [1] | The task is intended to occur at the specified frequency. |
<dependency> element
Task Dependency
Used to indicate that a task is dependent on another task.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ task-uuid | uuid | Yes | A machine-oriented identifier reference to a unique task. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<associated-activity> element
Associated Activity
Identifies an individual activity to be performed as part of a task.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ activity-uuid | uuid | Yes | A machine-oriented identifier reference to an activity defined in the list of activities. |
Child Elements (5)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<responsible-role> | assembly | [0 to ∞] | A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role. |
<assessment-subject> | assembly | [1 to ∞] | Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<task> element
Task
Represents a scheduled event or milestone, which may be associated with a series of assessment actions.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
@ type | token | Yes | The kind of actor. |
Child Elements (11)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<task> | assembly | [0 to ∞] | Represents a scheduled event or milestone, which may be associated with a series of assessment actions. |
<assessment-subject> | assembly | [0 to ∞] | Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope. |
<responsible-role> | assembly | [0 to ∞] | A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<timing> | assembly | [0 or 1] | The timing under which the task is intended to occur. |
<dependency> | assembly | [0 to ∞] | Used to indicate that a task is dependent on another task. |
<associated-activity> | assembly | [0 to ∞] | Identifies an individual activity to be performed as part of a task. |
<title> | field | [1] | The title for this event. |
<description> | field | [0 to 1] | A human-readable description of this event. |
<control-selection> element
Assessed Controls
Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.
The include-all, specifies all control identified in the baseline are included in the scope if this assessment, as specified by the include-profile statement within the linked SSP.
Any control specified within exclude-controls must first be within a range of explicitly included controls, via include-controls or include-all.
Child Elements (7)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<select-control-by-id> | assembly | [0 to ∞] | Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the assessment scope. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<description> | field | [0 to 1] | A human-readable description of this event. |
<include-all> | assembly | [1] | Include all controls from the imported catalog or profile resources. |
<select-control-by-id> | assembly | [1 to ∞] | Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the assessment scope. |
<control-objective-selection> element
Referenced Control Objectives
Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.
The include-all field, specifies all control objectives for any in-scope control. In-scope controls are defined in the control-selection.
Any control objective specified within exclude-controls must first be within a range of explicitly included control objectives, via include-objectives or include-all.
Child Elements (7)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<select-objective-by-id> | assembly | [0 to ∞] | Used to select a control objective for inclusion/exclusion based on the control objective's identifier. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<description> | field | [0 to 1] | A human-readable description of this event. |
<include-all> | assembly | [1] | Include all controls from the imported catalog or profile resources. |
<select-objective-by-id> | assembly | [1 to ∞] | Used to select a control objective for inclusion/exclusion based on the control objective's identifier. |
<reviewed-controls> element
Reviewed Controls and Control Objectives
Identifies the controls being assessed and their control objectives.
In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.
When resolving the selection of controls and control objectives, the following processing will occur:
1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.
2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.
Child Elements (6)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<control-selection> | assembly | [1 to ∞] | Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan. |
<control-objective-selection> | assembly | [0 to ∞] | Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan. |
<description> | field | [0 to 1] | A human-readable description of this event. |
<statement-id> field
Include Specific Statements
Used to constrain the selection to only specificity identified statements.
<select-control-by-id> element
Select Control
Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the assessment scope.
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<statement-id> | field | [0 to ∞] | Used to constrain the selection to only specificity identified statements. |
<select-objective-by-id> element
Select Objective
Used to select a control objective for inclusion/exclusion based on the control objective's identifier.
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<source> element
Assessment Subject Source
Assessment subjects will be identified while conducting the referenced activity-instance.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ task-uuid | uuid | Yes | A machine-oriented identifier reference to a unique task. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<assessment-subject-placeholder> element
Assessment Subject Placeholder
Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (5)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<source> | assembly | [1 to ∞] | Assessment subjects will be identified while conducting the referenced activity-instance. |
<description> | field | [0 or 1] | A human-readable description of this event. |
<assessment-subject> element
Subject of Assessment
Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.
Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ type | token | Yes | The kind of actor. |
Child Elements (7)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<select-subject-by-id> | assembly | [0 to ∞] | Identifies a set of assessment subjects to include/exclude by UUID. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<description> | field | [0 to 1] | A human-readable description of this event. |
<include-all> | assembly | [1] | Include all controls from the imported catalog or profile resources. |
<select-subject-by-id> | assembly | [1 to ∞] | Identifies a set of assessment subjects to include/exclude by UUID. |
<select-subject-by-id> element
Select Assessment Subject
Identifies a set of assessment subjects to include/exclude by UUID.
Child Elements (3)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<subject-reference> element
Identifies the Subject
A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.
The subject reference UUID could point to an item defined in the SSP, AP, or AR.
Tools should check look for the ID in every file imported directly or indirectly.
Child Elements (4)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<title> | field | [0 to 1] | The title for this event. |
<uses-component> element
Uses Component
The set of components that are used by the assessment platform.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ component-uuid | uuid | Yes | A machine-oriented identifier reference to a component that is implemented as part of an inventory item. |
Child Elements (4)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<responsible-party> | assembly | [0 to ∞] | A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<assessment-platform> element
Assessment Platform
Used to represent the toolset used to perform aspects of the assessment.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (5)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<uses-component> | assembly | [0 to ∞] | The set of components that are used by the assessment platform. |
<title> | field | [0 to 1] | The title for this event. |
<assessment-assets> element
Assessment Assets
Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.
Child Elements (2)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<system-component> | assembly | [0 to ∞] | A defined component that can be part of an implemented system. |
<assessment-platform> | assembly | [1 to ∞] | Used to represent the toolset used to perform aspects of the assessment. |
<status> element
Objective Status
A determination of if the objective is satisfied or not within a given system.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ state | token | Yes | An indication as to whether the objective is satisfied or not. |
@ reason | token | No | The reason the objective was given it's status. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<finding-target> element
Objective Status
Captures an assessor's conclusions regarding the degree to which an objective is satisfied.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ type | string | Yes | The kind of actor. |
@ target-id | token | Yes | A machine-oriented identifier reference for a specific target qualified by the type. |
Child Elements (7)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<implementation-status> | assembly | [0 or 1] | Indicates the degree to which the a given control is implemented. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<status> | assembly | [1] | A determination of if the objective is satisfied or not within a given system. |
<title> | field | [0 to 1] | The title for this event. |
<description> | field | [0 to 1] | A human-readable description of this event. |
<implementation-statement-uuid> field
Implementation Statement UUID
A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related.
<finding> element
Finding
Describes an individual finding.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (10)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<origin> | assembly | [0 to ∞] | Identifies the source of the finding, such as a tool, interviewed person, or activity. |
<finding-target> | assembly | [1] | Captures an assessor's conclusions regarding the degree to which an objective is satisfied. |
<related-observation> | assembly | [0 to ∞] | Relates the identified element to a set of referenced observations that were used to support its determination. |
<associated-risk> | assembly | [0 to ∞] | Relates the finding to a set of referenced risks that were used to determine the finding. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<title> | field | [1] | The title for this event. |
<description> | field | [1] | A human-readable description of this event. |
<implementation-statement-uuid> | field | [0 to 1] | A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related. |
<associated-risk> element
Associated Risk
Relates the finding to a set of referenced risks that were used to determine the finding.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ risk-uuid | uuid | Yes | A machine-oriented identifier reference to a risk defined in the list of risks. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<relevant-evidence> element
Relevant Evidence
Links this observation to relevant evidence.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ href | uri-reference | No | An optional location for the threat data, from which this ID originates. |
Child Elements (4)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<description> | field | [1 to 1] | A human-readable description of this event. |
<method> field
Observation Method
Identifies how the observation was made.
Constraints (1)
- allowed-values
for
.- EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
- INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
- TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
- UNKNOWN: This is only for use when converting historic content to OSCAL, where the conversion process cannot initially identify the appropriate method(s).
<type> field
Observation Type
Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.
Constraints (1)
- allowed-values
for
.- ssp-statement-issue: A difference between the SSP implementation statement, and actual implementation.
- control-objective: An observation about the status of a the associated control objective.
- mitigation: An activity was completed that reduces the likelihood or impact of this risk.
- finding: **(deprecated)** Use 'discovery' instead.
- discovery: An observation of potential risk in the system's implementation, identified through security scanning tools, penetration testing, and other means.
- historic: An observation from a past assessment, which was converted to OSCAL at a later date.
<collected> field
Collected Field
Date/time stamp identifying when the finding information was collected.
<expires> field
Expires Field
Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.
<observation> element
Observation
Describes an individual observation.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (12)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<origin> | assembly | [0 to ∞] | Identifies the source of the finding, such as a tool, interviewed person, or activity. |
<subject-reference> | assembly | [0 to ∞] | A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<relevant-evidence> | assembly | [0 to ∞] | Links this observation to relevant evidence. |
<title> | field | [0 to 1] | The title for this event. |
<description> | field | [1 to 1] | A human-readable description of this event. |
<method> | field | [1 to ∞] | Identifies how the observation was made. |
<type> | field | [0 to ∞] | Identifies the nature of the observation. More than one may be used to further qualify and enable filtering. |
<collected> | field | [1 to 1] | Date/time stamp identifying when the finding information was collected. |
<expires> | field | [0 to 1] | Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios. |
<origin> element
Origin
Identifies the source of the finding, such as a tool, interviewed person, or activity.
Child Elements (2)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<origin-actor> | assembly | [1 to ∞] | The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool. |
<related-task> | assembly | [0 to ∞] | Identifies an individual task for which the containing object is a consequence of. |
<origin-actor> element
Originating Actor
The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ type | token | Yes | The kind of actor. |
@ actor-uuid | uuid | Yes | A machine-oriented identifier reference to the tool or person based on the associated type. |
@ role-id | token | No | A point to the role-id of the role in which the party is making the log entry. |
Child Elements (2)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<identified-subject> element
Identified Subject
Used to detail assessment subjects that were identified by this task.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ subject-placeholder-uuid | uuid | Yes | A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<assessment-subject> | assembly | [1 to ∞] | Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope. |
<mitigating-factor> element
Mitigating Factor
Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
@ implementation-uuid | uuid | No | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (4)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<subject-reference> | assembly | [0 to ∞] | A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. |
<description> | field | [1 to 1] | A human-readable description of this event. |
<risk-log> element
Risk Log
A log of all risk-related tasks taken.
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<entry> | assembly | [1 to ∞] | Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results. |
<statement> field
Risk Statement
An summary of impact for how the risk affects the system.
<deadline> field
Risk Resolution Deadline
The date/time by which the risk must be resolved.
<risk> element
Identified Risk
An identified risk.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (14)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<origin> | assembly | [0 to ∞] | Identifies the source of the finding, such as a tool, interviewed person, or activity. |
<characterization> | assembly | [0 to ∞] | A collection of descriptive data about the containing object from a specific origin. |
<response> | assembly | [0 to ∞] | Describes either recommended or an actual plan for addressing the risk. |
<related-observation> | assembly | [0 to ∞] | Relates the identified element to a set of referenced observations that were used to support its determination. |
<risk-status> | field | [1] | Describes the status of the associated risk. |
<threat-id> | field | [0 to ∞] | A pointer, by ID, to an externally-defined threat. |
<mitigating-factor> | assembly | [0 to ∞] | Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP. |
<risk-log> | assembly | [0 or 1] | A log of all risk-related tasks taken. |
<title> | field | [1 to 1] | The title for this event. |
<description> | field | [1 to 1] | A human-readable description of this event. |
<statement> | field | [1] | An summary of impact for how the risk affects the system. |
<deadline> | field | [0 or 1] | The date/time by which the risk must be resolved. |
Constraints (1)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- false-positive: The risk has been confirmed to be a false positive.
- accepted: The risk has been accepted. No further action will be taken.
- risk-adjusted: The risk has been adjusted.
- priority: A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority)
<logged-by> element
Logged By
Used to indicate who created a log entry in what role.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ party-uuid | uuid | Yes | A machine-oriented identifier reference to the party who is making the log entry. |
@ role-id | token | No | A point to the role-id of the role in which the party is making the log entry. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<facet> element
Facet
An individual characteristic that is part of a larger set produced by the same actor.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ name | token | Yes | A textual label that uniquely identifies the part's semantic type. |
@ system | uri | Yes | Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash. |
@ value | string | Yes | Indicates the value of the facet. |
Child Elements (3)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
Constraints (51)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- state: Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value has be changed after some adjustments have been made (e.g., to identify residual risk).
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='state']/@value- initial: As first identified.
- adjusted: Indicates that residual risk remains after some adjustments have been made.
- allowed-values
for
(.)[@system='http://csrc.nist.gov/ns/oscal']/@name- likelihood: Likelihood as defined by FedRAMP. The
classcan be used to specify 'initial' and 'adjusted' risk states. - impact: Impact as defined by FedRAMP. The
classcan be used to specify 'initial' and 'adjusted' risk states. - risk: Risk as calculated according to FedRAMP. The
classcan be used to specify 'initial' and 'adjusted' risk states. - severity: General severity rating.
- likelihood: Likelihood as defined by FedRAMP. The
- allowed-values
for
(.)[@system=('http://fedramp.gov','http://fedramp.gov/ns/oscal')]/@name- likelihood: Likelihood as defined by FedRAMP. The
classcan be used to specify 'initial' and 'adjusted' risk states. - impact: Impact as defined by FedRAMP. The
classcan be used to specify 'initial' and 'adjusted' risk states. - risk: Risk as calculated according to FedRAMP. The
classcan be used to specify 'initial' and 'adjusted' risk states.
- likelihood: Likelihood as defined by FedRAMP. The
- allowed-values
for
(.)[@system='http://cve.mitre.org']/@name- cve-id: An identifier managed by the CVE program (see https://cve.mitre.org/).
- allowed-values
for
(.)[@system='http://www.first.org/cvss/v2.0']/@name- access-vector: Base: Access Vector
- access-complexity: Base: Attack Complexity
- authentication: Base: Authentication
- confidentiality-impact: Base: Confidentiality Impact
- integrity-impact: Base: Integrity Impact
- availability-impact: Base: Availability Impact
- exploitability: Temporal: Exploitability
- remediation-level: Temporal: Remediation Level
- report-confidence: Temporal: Report Confidence
- collateral-damage-potential: Environmental: Collateral Damage Potential
- target-distribution: Environmental: Target Distribution
- confidentiality-requirement: Environmental: Confidentiality Requirement Modifier
- integrity-requirement: Environmental: Integrity Requirement Modifier
- availability-requirement: Environmental: Availability Requirement Modifier
- allowed-values
for
(.)[@system='http://www.first.org/cvss/v2.0' and @name='access-vector']/@value- local: Local
- adjacent-network: Network Adjacent
- network: Network
- allowed-values
for
(.)[@system='http://www.first.org/cvss/v2.0' and @name='access-complexity']/@value- high: High
- medium: Medium
- low: Low
- allowed-values
for
(.)[@system='http://www.first.org/cvss/v2.0' and @name='authentication']/@value- multiple: Multiple
- single: Single
- none: No response, such as when the identified risk is found to be a false positive.
- allowed-values
for
(.)[@system='http://www.first.org/cvss/v2.0' and @name=('confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value- none: No response, such as when the identified risk is found to be a false positive.
- partial: Partial
- complete: Complete
- allowed-values
for
(.)[@system='http://www.first.org/cvss/v2.0' and @name='exploitability']/@value- unproven: Unproven
- proof-of-concept: Proof-of-Concept
- functional: Functional
- high: High
- not-defined: Not Defined
- allowed-values
for
(.)[@system='http://www.first.org/cvss/v2.0' and @name='remediation-level']/@value- official-fix: Official Fix
- temporary-fix: Temporary Fix
- workaround: Workaround
- unavailable: Unavailable
- not-defined: Not Defined
- allowed-values
for
(.)[@system='http://www.first.org/cvss/v2.0' and @name='report-confidence']/@value- unconfirmed: Unconfirmed
- uncorroborated: Uncorroborated
- confirmed: Confirmed
- not-defined: Not Defined
- allowed-values
for
(.)[@system='http://www.first.org/cvss/v2.0' and @name='collateral-damage-potential']/@value- none: No response, such as when the identified risk is found to be a false positive.
- low: Low
- low-medium: Low Medium
- medium-high: Medium High
- high: High
- not-defined: Not Defined
- allowed-values
for
(.)[@system='http://www.first.org/cvss/v2.0' and @name=('target-distribution', 'confidentiality-requirement', 'integrity-requirement', 'availability-requirement')]/@value- none: No response, such as when the identified risk is found to be a false positive.
- low: Low
- medium: Medium
- high: High
- not-defined: Not Defined
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1')]/@name- attack-vector: Base: Attack Vector
- access-complexity: Base: Attack Complexity
- privileges-required: Base: Privileges Required
- user-interaction: Base: User Interaction
- scope: Base: Scope
- confidentiality-impact: Base: Confidentiality Impact
- integrity-impact: Base: Integrity Impact
- availability-impact: Base: Availability Impact
- exploit-code-maturity: Temporal: Exploit Code Maturity
- remediation-level: Temporal: Remediation Level
- report-confidence: Temporal: Report Confidence
- modified-attack-vector: Environmental: Modified Attack Vector
- modified-attack-complexity: Environmental: Modified Attack Complexity
- modified-privileges-required: Environmental: Modified Privileges Required
- modified-user-interaction: Environmental: Modified User Interaction
- modified-scope: Environmental: Modified Scope
- modified-confidentiality: Environmental: Modified Confidentiality
- modified-integrity: Environmental: Modified Integrity
- modified-availability: Environmental: Modified Availability
- confidentiality-requirement: Environmental: Confidentiality Requirement Modifier
- integrity-requirement: Environmental: Integrity Requirement Modifier
- availability-requirement: Environmental: Availability Requirement Modifier
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='access-vector']/@value- network: Network
- adjacent: Adjacent
- local: Local
- physical: Physical
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='access-complexity']/@value- high: High
- low: Low
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('privileges-required', 'confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value- none: No response, such as when the identified risk is found to be a false positive.
- low: Low
- high: High
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='user-interaction']/@value- none: No response, such as when the identified risk is found to be a false positive.
- required: Required
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='scope']/@value- unchanged: Unchanged
- changed: Changed
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='exploit-code-maturity']/@value- not-defined: Not Defined
- unproven: Unproven
- proof-of-concept: Proof-of-Concept
- functional: Functional
- high: High
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='remediation-level']/@value- not-defined: Not Defined
- official-fix: Official Fix
- temporary-fix: Temporary Fix
- workaround: Workaround
- unavailable: Unavailable
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='report-confidence']/@value- not-defined: Not Defined
- unknown: Unknown
- reasonable: Reasonable
- confirmed: Confirmed
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('confidentiality-requirement', 'integrity-requirement', 'availability-requirement')]/@value- not-defined: Not Defined
- low: Low
- medium: Medium
- high: High
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-attack-vector']/@value- not-defined: Not Defined
- network: Network
- adjacent: Adjacent
- local: Local
- physical: Physical
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-attack-complexity']/@value- not-defined: Not Defined
- high: High
- low: Low
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('modified-privileges-required', 'modified-confidentiality', 'modified-integrity', 'modified-availability')]/@value- not-defined: Not Defined
- none: No response, such as when the identified risk is found to be a false positive.
- low: Low
- high: High
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-user-interaction']/@value- not-defined: Not Defined
- none: No response, such as when the identified risk is found to be a false positive.
- required: Required
- allowed-values
for
(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-scope']/@value- not-defined: Not Defined
- unchanged: Unchanged
- changed: Changed
- allowed-values
for
(.)[@system=('https://www.first.org/cvss/v4-0')]/@name- av: Base: Attack Vector
- ac: Base: Attack Complexity
- at: Base: Attack Requirements
- pr: Base: Privileges Required
- ui: Base: User Interaction
- vc: Base: Vulnerable System Confidentiality Impact
- vi: Base: Vulnerable System Integrity Impact
- va: Base: Vulnerable System Availability Impact
- sc: Base: Subsequent System Confidentiality Impact
- si: Base: Vulnerable System Integrity Impact
- sa: Base: Vulnerable System Availability Impact
- s: Safety
- au: Supplemental: Automatable
- r: Supplemental: Recovery
- v: Supplemental: Value Density
- re: Supplemental: Vulnerability Response Effort
- u: Unreported
- mav: Environmental: Modified Attack Vector
- mac: Environmental: Modified Attack Complexity
- mat: Environmental: Modified Attack Requirements
- mpr: Environmental: Modified Privileges Required
- mui: Environmental: Modified User Interaction
- mvc: Environmental: Modified Vulnerable System Confidentiality
- mvi: Environmental: Modified Vulnerable System Integrity
- mva: Environmental: Modified Vulnerable System Availability
- msc: Environmental: Subsequent Vulnerable System Confidentiality
- msi: Environmental: Subsequent Vulnerable System Integrity
- msa: Environmental: Subsequent Vulnerable System Availability
- cr: Environmental: Confidentiality Requirements
- ir: Environmental: Integrity Requirements
- ar: Environmental: Availability Requirements
- e: Threat: Exploit Maturity
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='av']/@value- n: Negligible
- a: Attacked
- l: Low
- p: PoC
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='ac']/@value- h: High
- l: Low
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='at']/@value- n: Negligible
- p: PoC
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name=('pr','vc','vi','va','sc','si','sa')]/@value- n: Negligible
- l: Low
- h: High
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='ui']/@value- n: Negligible
- p: PoC
- a: Attacked
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='s']/@value- x: Not Defined
- n: Negligible
- p: PoC
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='au']/@value- x: Not Defined
- n: Negligible
- y: Yes
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='r']/@value- x: Not Defined
- a: Attacked
- u: Unreported
- i: Irrecoverable
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='v']/@value- x: Not Defined
- a: Attacked
- u: Unreported
- i: Irrecoverable
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='re']/@value- x: Not Defined
- l: Low
- m: Medium
- h: High
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='u']/@value- x: Not Defined
- clear: Clear
- green: Green
- amber: Amber
- red: Red
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='mav']/@value- x: Not Defined
- n: Negligible
- a: Attacked
- l: Low
- p: PoC
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='mac']/@value- x: Not Defined
- h: High
- l: Low
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='mat']/@value- x: Not Defined
- n: Negligible
- p: PoC
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name=('mpr','mvc','mvi')]/@value- x: Not Defined
- n: Negligible
- l: Low
- h: High
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='mui']/@value- x: Not Defined
- n: Negligible
- p: PoC
- a: Attacked
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='msc']/@value- x: Not Defined
- n: Negligible
- l: Low
- h: High
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name=('msi','msa')]/@value- x: Not Defined
- n: Negligible
- l: Low
- h: High
- s: Safety
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name=('cr','ir','ar')]/@value- x: Not Defined
- l: Low
- m: Medium
- h: High
- allowed-values
for
.[@system='https://www.first.org/cvss/v4-0' and @name='e']/@value- x: Not Defined
- a: Attacked
- p: PoC
- u: Unreported
<characterization> element
Characterization
A collection of descriptive data about the containing object from a specific origin.
Child Elements (4)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<origin> | assembly | [1] | Identifies the source of the finding, such as a tool, interviewed person, or activity. |
<facet> | assembly | [1 to ∞] | An individual characteristic that is part of a larger set produced by the same actor. |
<required-asset> element
Required Asset
Identifies an asset required to achieve remediation.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (6)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<subject-reference> | assembly | [0 to ∞] | A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. |
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<title> | field | [0 to 1] | The title for this event. |
<description> | field | [1 to 1] | A human-readable description of this event. |
<response> element
Risk Response
Describes either recommended or an actual plan for addressing the risk.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
@ lifecycle | token | Yes | Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner. |
Child Elements (8)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<origin> | assembly | [0 to ∞] | Identifies the source of the finding, such as a tool, interviewed person, or activity. |
<task> | assembly | [0 to ∞] | Represents a scheduled event or milestone, which may be associated with a series of assessment actions. |
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<required-asset> | assembly | [0 to ∞] | Identifies an asset required to achieve remediation. |
<title> | field | [1 to 1] | The title for this event. |
<description> | field | [1 to 1] | A human-readable description of this event. |
Constraints (2)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- type: Risk Response Type
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value- avoid: The risk will be eliminated.
- mitigate: The risk will be reduced.
- transfer: The risk will be transferred to another organization or entity.
- accept: The risk will continue to exist without further efforts to address it. (Sometimes referred to as "Operationally required")
- share: The risk will be partially transferred to another organization or entity.
- contingency: Plans will be made to address the risk impact if the risk occurs. (This is a form of mitigation.)
- none: No response, such as when the identified risk is found to be a false positive.
<prose> field
Part Text
Permits multiple paragraphs, lists, tables etc.
<assessment-part> element
Assessment Part
A partition of an assessment plan or results or a child of another part.
A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.
A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.
Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | No | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
@ name | token | Yes | A textual label that uniquely identifies the part's semantic type. |
@ ns | uri | No | A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name. |
@ class | token | No | A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns. |
Child Elements (5)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<assessment-part> | assembly | [0 to ∞] | A partition of an assessment plan or results or a child of another part. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<title> | field | [0 to 1] | The title for this event. |
<prose> | field | [0 or 1] | Permits multiple paragraphs, lists, tables etc. |
Constraints (2)
- allowed-values
for
.[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- method: The assessment method to use. This typically appears on parts with the name "objective".
- allowed-values
for
.[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']/@value- INTERVIEW: The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.
- EXAMINE: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).
- TEST: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.
<threat-id> field
Threat ID
A pointer, by ID, to an externally-defined threat.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ system | uri | Yes | Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash. |
@ href | uri-reference | No | An optional location for the threat data, from which this ID originates. |
<risk-status> field
Risk Status
Describes the status of the associated risk.
Constraints (1)
- allowed-values
for
.- open: The risk has been identified.
- investigating: The identified risk is being investigated. (Open risk)
- remediating: Remediation activities are underway, but are not yet complete. (Open risk)
- deviation-requested: A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk)
- deviation-approved: A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk)
- closed: The risk has been resolved.
<part> element
Part
An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.
A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.
A part can be assigned an optional id, which allows references to this part from within a catalog, or within an instance of another OSCAL model that has a need to reference the part. Examples of where part referencing is used in OSCAL include:
- Referencing a part by id to tailor (make modifications to) a control statement in a profile.
- Referencing a control statement represented by a part in a system security plan implemented-requirement where a statement-level response is desired.
Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.
To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns http://fedramp.gov/ns/oscal, while DoD might use the ns https://defense.gov for any organization specific name.
Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ id | token | No | A unique identifier for the parameter. |
@ name | token | Yes | A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns. |
@ ns | uri | No | An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name. |
@ class | token | No | A textual label that provides a characterization of the type, purpose, use or scope of the parameter. |
Child Elements (5)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<part> | assembly | [0 to ∞] | An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<title> | field | [0 or 1] | The title for this event. |
<prose> | field | [0 or 1] | Permits multiple paragraphs, lists, tables etc. |
Constraints (1)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- alt-identifier: An alternate or aliased identifier for the parent context.
<label> field
Parameter Label
A short, placeholder name for the parameter, which can be used as a substitute for a
value if no value is assigned. The label value is intended use when rendering a parameter in generated documentation or a user interface when a parameter is referenced. Note that labels are not required to be distinctive, which means that parameters within the same control may have the same label.
<usage> field
Parameter Usage Description
Describes the purpose and use of a
parameter.
<parameter> element
Parameter
Parameters provide a mechanism for the dynamic assignment of value(s) in a control.
In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.
A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ id | token | Yes | A unique identifier for the parameter. |
@ class | token | No | A textual label that provides a characterization of the type, purpose, use or scope of the parameter. |
@ depends-on | token | No | (deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used. |
Child Elements (9)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<parameter-constraint> | assembly | [0 to ∞] | A formal or informal expression of a constraint or test. |
<parameter-guideline> | assembly | [0 to ∞] | A prose statement that provides a recommendation for the use of a parameter. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<label> | field | [0 or 1] | A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned. |
<usage> | field | [0 or 1] | Describes the purpose and use of a parameter. |
<parameter-selection> | assembly | [0 or 1] | Presenting a choice among alternatives. |
<parameter-value> | field | [0 to ∞] | A parameter value or set of values. |
Constraints (3)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- label: A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- alt-identifier: An alternate or aliased identifier for the parent context.
- alt-label: An alternate to the value provided by the parameter's label. This will typically be qualified by a class.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/rmf')]/@name- aggregates: The parent parameter provides an aggregation of two or more other parameters, each described by this property.
- expect
for
.Test: not(exists(@depends-on))
<expression> field
Constraint test
A formal (executable) expression of a
constraint.
<test> element
Constraint Test
A test expression which is expected to be evaluated by a tool.
Child Elements (2)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<expression> | field | [1] | A formal (executable) expression of a constraint. |
<parameter-constraint> element
Constraint
A formal or informal expression of a constraint or test.
Child Elements (2)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<test> | assembly | [0 to ∞] | A test expression which is expected to be evaluated by a tool. |
<description> | field | [0 or 1] | A human-readable description of this event. |
<parameter-guideline> element
Guideline
A prose statement that provides a recommendation for the use of a parameter.
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<prose> | field | [1] | Permits multiple paragraphs, lists, tables etc. |
<choice> field
Choice
A value selection among several such
options.
<parameter-selection> element
Selection
Presenting a choice among alternatives.
A set of parameter value choices, that may be picked from to set the parameter value.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ how-many | token | No | Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<choice> | field | [0 to ∞] | A value selection among several such options. |
<include-all> element
Include All
Include all controls from the imported catalog or profile resources.
This element provides an alternative to calling controls individually from a catalog.
<matching> element
Match Controls by Pattern
Selecting a set of controls by matching their IDs with a wildcard pattern.
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<parameter-value> field
Parameter Value
A parameter value or set of values.
<with-id> field
Match Controls by Identifier
Selecting a control by its ID given as a literal.
<purpose> field
Purpose
A summary of the technological or business purpose of the component.
<system-component> element
Component
A defined component that can be part of an implemented system.
Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.
The type indicates which of these component types is represented.
When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (9)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<responsible-role> | assembly | [0 to ∞] | A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role. |
<protocol> | assembly | [0 to ∞] | Information about the protocol used to provide a service. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<status> | assembly | [1] | A determination of if the objective is satisfied or not within a given system. |
<title> | field | [1] | The title for this event. |
<description> | field | [1] | A human-readable description of this event. |
<purpose> | field | [0 or 1] | A summary of the technological or business purpose of the component. |
Constraints (18)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- implementation-point: Relative placement of component ('internal' or 'external') to the system.
- leveraged-authorization-uuid: UUID of the related leveraged-authorization assembly in this SSP.
- inherited-uuid: UUID of the component as it was assigned in the leveraged system's SSP.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
- hardware-model: **(deprecated)** Use 'model' instead.
- model: The model of system used by the asset.
- os-name: The name of the operating system used by the asset.
- os-version: The version of the operating system used by the asset.
- software-name: The software product name used by the asset.
- software-version: The software product version used by the asset.
- software-patch-level: The software product patch level used by the asset.
- version: The version of the component.
- patch-level: The specific patch level of the component.
- model: The model of system used by the asset.
- release-date: The date the component was released, such as a software release date or policy publication date.
- validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
- validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
- allowed-values
for
link/@rel- depends-on: A reference to another component that this component has a dependency on.
- validation: An external assessment performed on some other component, that has been validated by a third-party.
- proof-of-compliance: A pointer to a validation record (e.g., FIPS 140-2) or other compliance information.
- baseline-template: A reference to the baseline template used to configure the asset.
- uses-service: This service is used by the referenced component identifier.
- system-security-plan: A link to the system security plan of the external system.
- uses-network: This component uses the network provided by the identified network component.
- imported-from: The hyperlink identifies a URI pointing to the
componentin acomponent-definitionthat originally defined thecomponent.
- allowed-values
for
responsible-role/@role-id- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value- operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
- database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
- web-server: A system that delivers content or services to end users over the Internet or an intranet.
- dns-server: A system that resolves domain names to internet protocol (IP) addresses.
- email-server: A computer system that sends and receives electronic mail messages.
- directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
- pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
- firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- router: A physical or virtual networking device that forwards data packets between computer networks.
- switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
- storage-array: A consolidated, block-level data storage capability.
- appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='allows-authenticated-scan']/@value- yes: The asset is included in periodic vulnerability scanning.
- no: The asset is not included in periodic vulnerability scanning.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='public']/@value- yes: The asset is included in periodic vulnerability scanning.
- no: The asset is not included in periodic vulnerability scanning.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='virtual']/@value- yes: The asset is included in periodic vulnerability scanning.
- no: The asset is not included in periodic vulnerability scanning.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='implementation-point']/@value- internal: A user account for a person or entity that is part of the organization who owns or operates the system.
- external: A user account for a person or entity that is not part of the organization who owns or operates the system.
- allowed-values
for
(.)[@type=('software', 'hardware', 'service')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- vendor-name: The name of the company or organization
- allowed-values
for
(.)[@type='validation']/link/@rel- validation-details: A link to an online information provided by the authorizing body.
- allowed-values
for
(.)[@type='software']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- software-identifier: If a "software" component-type, the identifier, such as a SWID tag, for the software component.
- allowed-values
for
(.)[@type='service']/link/@rel- provided-by: This service is provided by the referenced component identifier.
- used-by: This service is used by the referenced component identifier.
- allowed-values
for
(.)[@type='interconnection']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- isa-title: Title of the Interconnection Security Agreement (ISA).
- isa-date: Date of the Interconnection Security Agreement (ISA).
- isa-remote-system-name: The name of the remote interconnected system.
- ipv4-address: The Internet Protocol v4 Address of the asset.
- ipv6-address: The Internet Protocol v6 Address of the asset.
- direction: The direction categorizes the network connectivity of an interconnection, service, or software component.
- uri: A Uniform Resource Identifier (URI) for the asset.
- fqdn: The full-qualified domain name (FQDN) of the asset.
- allowed-values
for
(.)[@type=('interconnection', 'service', 'software', 'system')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- ipv4-address: The Internet Protocol v4 Address of the asset.
- ipv6-address: The Internet Protocol v6 Address of the asset.
- direction: The direction categorizes the network connectivity of an interconnection, service, or software component.
- uri: A Uniform Resource Identifier (URI) for the asset.
- fqdn: The full-qualified domain name (FQDN) of the asset.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('ipv4-address','ipv6-address')]/@class- local: The identified IP address is for this system.
- remote: The identified IP address is for the remote system to which this system is connected.
- allowed-values
for
(.)[@type='interconnection']/link/@rel- isa-agreement: A link to the system interconnection agreement.
- allowed-values
for
(.)[@type='interconnection']/responsible-role/@role-id- isa-poc-local: Interconnection Security Agreement (ISA) point of contact (POC) for this system.
- isa-poc-remote: Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system.
- isa-authorizing-official-local: Interconnection Security Agreement (ISA) authorizing official for this system.
- isa-authorizing-official-remote: Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='direction']/@value- incoming: Data from the remote system flows into this system.
- outgoing: Data from this system flows to the remote system.
<protocol> element
Service Protocol Information
Information about the protocol used to provide a service.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | No | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
@ name | string | No | The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. |
Child Elements (2)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<port-range> | assembly | [0 to ∞] | Where applicable this is the transport layer protocol port range an IPv4-based or IPv6-based service uses. |
<title> | field | [0 or 1] | The title for this event. |
Constraints (1)
- expect
for
.Test: @uuid
<port-range> element
Port Range
Where applicable this is the transport layer protocol port range an IPv4-based or IPv6-based service uses.
To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ start | non-negative-integer | No | Indicates the starting port number in a port range for a transport layer protocol |
@ end | non-negative-integer | No | Indicates the ending port number in a port range for a transport layer protocol |
@ transport | token | No | Indicates the transport type. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
Constraints (3)
- expect
for
.Test: exists(@start) - expect
for
.Test: exists(@end) - expect
for
.Test: not(@start > @end)
<implementation-status> element
Implementation Status
Indicates the degree to which the a given control is implemented.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ state | token | Yes | Identifies the implementation status of the control or control objective. |
Child Elements (1)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<remarks> | field | [0 to 1] | Additional commentary about the containing object. |
<system-user> element
System User
A type of user that interacts with the system based on an associated role.
Permissible values to be determined closer to the application, such as by a receiving authority.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (8)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<authorized-privilege> | assembly | [0 to ∞] | Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege. |
<role-id> | field | [0 to ∞] | Reference to a role by UUID. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<title> | field | [0 or 1] | The title for this event. |
<short-name> | field | [0 or 1] | A short common name, abbreviation, or acronym for the party. |
<description> | field | [0 or 1] | A human-readable description of this event. |
Constraints (4)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- type: The type of user, such as internal, external, or general-public.
- privilege-level: The user's privilege level within the system, such as privileged, non-privileged, no-logical-access.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value- internal: A user account for a person or entity that is part of the organization who owns or operates the system.
- external: A user account for a person or entity that is not part of the organization who owns or operates the system.
- general-public: A user of the system considered to be outside
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='privilege-level']/@value- privileged: This role has elevated access to the system, such as a group or system administrator.
- non-privileged: This role has typical user-level access to the system without elevated access.
- no-logical-access: This role has no access to the system, such as a manager who approves access as part of a process.
- allowed-values
for
role-id- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
<implemented-component> element
Implemented Component
The set of components that are implemented in a given system inventory item.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ component-uuid | uuid | Yes | A machine-oriented identifier reference to a component that is implemented as part of an inventory item. |
Child Elements (4)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<responsible-party> | assembly | [0 to ∞] | A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
Constraints (2)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- version: The version of the component.
- patch-level: The specific patch level of the component.
- model: The model of system used by the asset.
- release-date: The date the component was released, such as a software release date or policy publication date.
- validation-type: Used with component-type='validation' to provide a well-known name for a kind of validation.
- validation-reference: Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component.
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
- hardware-model: **(deprecated)** Use 'model' instead.
- model: The model of system used by the asset.
- os-name: The name of the operating system used by the asset.
- os-version: The version of the operating system used by the asset.
- software-name: The software product name used by the asset.
- software-version: The software product version used by the asset.
- software-patch-level: The software product patch level used by the asset.
- allowed-values
for
responsible-party/@role-id- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
<inventory-item> element
Inventory Item
A single managed inventory item within the system.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ uuid | uuid | Yes | A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. |
Child Elements (6)
| Element | Type | Cardinality | Description |
|---|---|---|---|
<property> | assembly | [0 to ∞] | An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. |
<link> | assembly | [0 to ∞] | A reference to a local or remote resource, that has a specific relation to the containing object. |
<responsible-party> | assembly | [0 to ∞] | A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object. |
<remarks> | field | [0 or 1] | Additional commentary about the containing object. |
<implemented-component> | assembly | [0 to ∞] | The set of components that are implemented in a given system inventory item. |
<description> | field | [1] | A human-readable description of this event. |
Constraints (6)
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- ipv4-address: The Internet Protocol v4 Address of the asset.
- ipv6-address: The Internet Protocol v6 Address of the asset.
- fqdn: The full-qualified domain name (FQDN) of the asset.
- uri: A Uniform Resource Identifier (URI) for the asset.
- serial-number: A serial number for the asset.
- netbios-name: The NetBIOS name for the asset.
- mac-address: The media access control (MAC) address for the asset.
- physical-location: The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers).
- is-scanned: is the asset subjected to network scans? (yes/no)
- asset-type: Simple indication of the asset's function, such as Router, Storage Array, DNS Server.
- asset-id: An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item.
- asset-tag: An asset tag assigned by the organization responsible for maintaining the logical or tangible item.
- public: Identifies whether the asset is publicly accessible (yes/no)
- virtual: Identifies whether the asset is virtualized (yes/no)
- vlan-id: Virtual LAN identifier of the asset.
- network-id: The network identifier of the asset.
- label: A human-readable label for the parent context.
- sort-id: An alternative identifier, whose value is easily sortable among other such values in the document.
- baseline-configuration-name: The name of the baseline configuration for the asset.
- allows-authenticated-scan: Can the asset be check with an authenticated scan? (yes/no)
- function: The function provided by the asset for the system.
- hardware-model: **(deprecated)** Use 'model' instead.
- model: The model of system used by the asset.
- os-name: The name of the operating system used by the asset.
- os-version: The version of the operating system used by the asset.
- software-name: The software product name used by the asset.
- software-version: The software product version used by the asset.
- software-patch-level: The software product patch level used by the asset.
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value- operating-system: System software that manages computer hardware, software resources, and provides common services for computer programs.
- database: An electronic collection of data, or information, that is specially organized for rapid search and retrieval.
- web-server: A system that delivers content or services to end users over the Internet or an intranet.
- dns-server: A system that resolves domain names to internet protocol (IP) addresses.
- email-server: A computer system that sends and receives electronic mail messages.
- directory-server: A system that stores, organizes and provides access to directory information in order to unify network resources.
- pbx: A private branch exchange (PBX) provides a a private telephone switchboard.
- firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- router: A physical or virtual networking device that forwards data packets between computer networks.
- switch: A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device.
- storage-array: A consolidated, block-level data storage capability.
- appliance: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.
- allowed-values
for
(.)[@type=('software', 'hardware', 'service')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name- vendor-name: The name of the company or organization
- allowed-values
for
prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='is-scanned']/@value- yes: The asset is included in periodic vulnerability scanning.
- no: The asset is not included in periodic vulnerability scanning.
- allowed-values
for
link/@rel- baseline-template: A reference to the baseline template used to configure the asset.
- allowed-values
for
responsible-party/@role-id- asset-owner: Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.
- asset-administrator: Responsible for administering a set of assets.
- security-operations: Members of the security operations center (SOC).
- network-operations: Members of the network operations center (NOC).
- incident-response: Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions.
- help-desk: Responsible for providing information and support to users.
- configuration-management: Responsible for the configuration management processes governing changes to the asset.
- maintainer: Responsible for the creation and maintenance of a component.
- provider: Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).
<value> field
Parameter Value
A parameter value or set of values.
<set-parameter> element
Set Parameter Value
Identifies the parameter that will be set by the enclosed value.
<function-performed> field
Functions Performed
Describes a function performed for a given authorized privilege by this user class.
<system-id> field
System Identification
A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined
system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document. Attributes
| Name | Type | Required | Description |
|---|---|---|---|
@ identifier-type | uri | No | Identifies the identification system from which the provided identifier was assigned. |