oscal
OSCAL: Open Security Controls Assessment Language: LinkML Schema
URI: https://w3id.org/lmodel/oscal
Name: oscal
Classes
| Class | Description |
|---|---|
| Action | An action applied by a role within a given party to the content |
| Activity | Identifies an assessment or related process that can be performed |
| Addition | Specifies content to be added into controls in resolution |
| Address | A postal address for the location |
| Alteration | Specifies changes to be made to an included control when a profile is resolve... |
| AssessmentAssets | Identifies the assets used to perform this assessment |
| AssessmentLog | A log of all assessment-related actions taken |
| AssessmentLogEntry | Identifies the result of an action and/or task that occurred as part of execu... |
| AssessmentMethod | A local definition of a control objective |
| AssessmentPart | A partition of an assessment plan or results or a child of another part |
| TermsAndConditionsPart | A terms-and-conditions scoped assessment part |
| AssessmentPlan | An assessment plan, such as those provided by a FedRAMP assessor |
| AssessmentPlatform | Used to represent the toolset used to perform aspects of the assessment |
| AssessmentResults | Security assessment results, such as those provided by a FedRAMP assessor in ... |
| AssessmentResultsLocalDefinitions | Used to define data objects that are referenced by the assessment results but... |
| AssessmentSelectControlById | Select a specific control for inclusion/exclusion in the assessment by litera... |
| AssessmentSubject | Identifies system elements being assessed, such as components, inventory item... |
| AssessmentSubjectPlaceholder | Used when the assessment subjects will be determined as part of one or more o... |
| AssessmentSubjectSource | Assessment subjects will be identified while conducting the referenced activi... |
| AssociatedActivity | Identifies an individual activity to be performed as part of a task |
| AssociatedRisk | Relates the finding to a set of referenced risks |
| AtFrequency | The task is intended to occur at the specified frequency |
| Attestation | A set of textual attestation statements, typically written by the assessor |
| AuthorizationBoundary | A description of this system's authorization boundary, optionally supplemente... |
| AuthorizedPrivilege | Identifies a specific system privilege held by the user, along with an associ... |
| BackMatter | A collection of resources that may be referenced from within the OSCAL docume... |
| Base64Resource | A resource encoded using the Base64 alphabet defined by RFC 2045 |
| ByComponent | Defines how the referenced component implements a set of controls |
| Capability | A grouping of other components and/or capabilities |
| Catalog | A structured, organized collection of control information |
| Characterization | A collection of descriptive data about the containing object from a specific ... |
| Citation | An optional citation consisting of end note text using structured markup |
| CombinationRule | Defines how to resolve duplicate instances of the same control (e |
| ComponentDefinition | A collection of component descriptions, which may optionally be grouped by ca... |
| ComponentStatus | Describes the operational status of the system component |
| ConfidenceScore | Confidence represented as a category and/or percentage value |
| ConstraintTest | A test expression which is expected to be evaluated by a tool |
| Control | A structured object representing a requirement or guideline, which when imple... |
| ControlImplementationSet | Defines how the component or capability supports a set of controls |
| ControlMatching | Selecting a set of controls by matching their IDs with a wildcard pattern |
| ControlObjectiveSelection | Identifies the control objectives of the assessment |
| ControlPart | An annotated, markup-based textual element of a control's or catalog group's ... |
| ControlResponsibility | Describes a control implementation responsibility imposed on a leveraging sys... |
| ControlSelection | Identifies the controls being assessed |
| Coverage | A percentage representing target coverage by source mappings |
| DataFlow | A description of the logical flow of information within the system and across... |
| DefinedComponent | A defined component that can be part of an implemented system |
| Diagram | A graphic that provides a visual representation the system, or some aspect of... |
| DocumentId | A document identifier qualified by an identifier scheme |
| EventTiming | The timing under which the task is intended to occur |
| Export | Defines a set of control implementations that are provided as reference imple... |
| Facet | An individual characteristic that is part of a larger set produced by the sam... |
| Finding | Describes an individual finding |
| FindingTarget | Captures an assessor's conclusions regarding the degree to which an objective... |
| GapSummary | A summary of controls that were not mapped |
| Group | A group of controls, or of groups of controls |
| Hash | A representation of a cryptographic digest generated over a resource using a ... |
| HasPropsAndLinks | Mixin providing the props and links slots that are common to many OSCAL objec... |
| HasResponsibleParties | Mixin providing the responsible-parties slot for objects that carry party ass... |
| HasResponsibleRoles | Mixin providing the responsible-roles slot for objects that carry role assign... |
| IdentifiedSubject | Used to detail assessment subjects that were identified by this task |
| ImpactLevel | The expected level of impact resulting from the described information's confi... |
| ImplementationStatus | Indicates the degree to which a given control is implemented |
| ImplementedComponent | The set of components that are implemented in a given system inventory item |
| ImplementedControlStatement | Identifies which statements within a control are addressed |
| ImplementedRequirement | Describes how the containing component or capability implements an individual... |
| ImportAssessmentPlan | Used by assessment-results to import information about the original plan for ... |
| ImportComponentDefinition | Loads a component definition from another resource |
| ImportProfile | Used to import the OSCAL profile representing the system's control baseline |
| ImportSSP | Used by the assessment plan and POA&M to import information about the system |
| IncludeAll | Include all controls from the imported catalog or profile resources |
| IncorporatesComponent | The collection of components comprising a capability |
| InformationType | Contains details about one information type that is stored, processed, or tra... |
| InformationTypeCategorization | A set of information type identifiers qualified by the given identification s... |
| InheritedControlImplementation | Describes a control implementation inherited by a leveraging system |
| InsertControls | Specifies which controls to use in the containing context (as part of a group... |
| InventoryItem | A single managed inventory item within the system |
| SspInventoryItem | SSP-scoped inventory item with allows-authenticated-scan property typing |
| LeveragedAuthorization | A description of another authorized system from which this system inherits ca... |
| Link | A reference to a local or remote resource, that has a specific relation to th... |
| ImplementationCommonLink | Implementation-common scoped OSCAL link |
| SspByComponentLink | SSP-scoped link used in by-component contexts |
| SspDiagramLink | SSP-scoped link used in diagram objects |
| SspLeveragedAuthorizationLink | SSP-scoped link used in leveraged authorization objects |
| SspSystemInformationLink | SSP-scoped link used in system information |
| LocalDefinitions | Used to define data objects that are used in the assessment plan, that do not... |
| LocalObjective | A local definition of a control objective for this assessment |
| Location | A physical point of presence, which may be associated with people, organizati... |
| LoggedBy | Used to indicate who created a log entry in what role |
| Map | A relationship-based mapping entry between source and target sets |
| Mapping | A mapping between two mapped resources |
| MappingCollection | A collection of control mappings between source and target resources |
| MappingItem | A source or target item participating in a mapping entry |
| MappingProvenance | Mapping-level provenance details and mapping defaults |
| MappingResourceReference | A reference to the source or target resource for a mapping |
| MergeCustom | Provides an alternate grouping structure that selected controls will be place... |
| MergeFlat | Directs that controls appear without any grouping structure after profile res... |
| Metadata | Provides information about the containing document, and defines concepts shar... |
| MitigatingFactor | Describes an existing mitigating factor that may affect the overall determina... |
| NetworkArchitecture | A description of the system's network architecture, optionally supplemented w... |
| ObjectiveStatus | A determination of if the objective is satisfied or not within a given system |
| Observation | Describes an individual observation |
| OnDateCondition | The task is intended to occur on the specified date |
| Origin | Identifies the source of the finding, such as a tool, interviewed person, or ... |
| OriginActor | The actor that produces an observation, a finding, or a risk |
| OscalCommon | Mixin providing props, links, and remarks slots common to most OSCAL objects |
| OscalDocument | A root wrapper for an OSCAL document, which may be of any OSCAL document type... |
| AssessmentPlanDocument | Root wrapper for an OSCAL Assessment Plan document |
| AssessmentResultsDocument | Root wrapper for an OSCAL Assessment Results document |
| CatalogDocument | Root wrapper for an OSCAL Catalog document |
| ComponentDefinitionDocument | Root wrapper for an OSCAL Component Definition document |
| MappingCollectionDocument | Root wrapper for an OSCAL Mapping Collection document |
| PoamDocument | Root wrapper for an OSCAL Plan of Action and Milestones document |
| ProfileDocument | Root wrapper for an OSCAL Profile document |
| SspDocument | Root wrapper for an OSCAL System Security Plan document |
| Parameter | Parameters provide a mechanism for the dynamic assignment of value(s) in a co... |
| ParameterConstraint | A formal or informal expression of a constraint or test |
| ParameterGuideline | A prose statement that provides a recommendation for the use of a parameter |
| ParameterSelection | Presenting a choice among alternatives |
| ParameterSetting | A parameter setting to be propagated to points of insertion in a resolved pro... |
| Part | An annotated, markup-based textual element of a control's or catalog group's ... |
| Party | An organization or person, which may be associated with roles or other concep... |
| PartyExternalId | An identifier for a person or organization using a designated scheme, e |
| MetadataPartyExternalId | Metadata-scoped external identifier |
| PlanOfActionAndMilestones | A plan of action and milestones that identifies initial and residual risks, d... |
| PoamItem | Describes an individual POA&M item |
| PoamLocalDefinitions | Allows components and inventory items to be defined within the POA&M for case... |
| PortRange | Where applicable, the transport layer protocol port range |
| Profile | An OSCAL Profile that designates a set of controls from one or more catalogs ... |
| ProfileGroup | A group of (selected) controls or of groups of controls within a profile cust... |
| ProfileImport | Designates a referenced source catalog or profile that provides a source of c... |
| ProfileMerge | Provides structuring directives that instruct how controls are organized afte... |
| ProfileModify | Set parameters or amend controls in resolution |
| Property | An attribute, characteristic, or quality of the containing object expressed a... |
| ImplementationCommonProperty | Implementation-common scoped OSCAL property |
| LocationProperty | Location-scoped OSCAL property |
| MetadataProperty | Metadata-scoped OSCAL property |
| ParameterProperty | Control-common parameter-scoped OSCAL property |
| PartProperty | Control-common part-scoped OSCAL property |
| PartyProperty | Party-scoped OSCAL property |
| ProfileAlterationProperty | OSCAL property entries allowed in profile modify additions |
| ResourceProperty | Back-matter resource-scoped OSCAL property |
| RevisionProperty | Revision-scoped OSCAL property |
| SspAllowsAuthenticatedScanProp | SSP-scoped property used for component and inventory allows-authenticated-sca... |
| SspControlOriginationProp | SSP-scoped property used in implemented requirement and by-component contexts |
| SspSystemCharacteristicsProp | SSP-scoped property used in system characteristics |
| SspSystemInformationProp | SSP-scoped property used in system information |
| Protocol | Information about the protocol used to provide a service |
| ProvidedControlImplementation | Describes a capability which may be inherited by a leveraging system |
| QualifierItem | A qualifier describing requirements or incompatibilities |
| RelatedFinding | Relates a POA&M item to a referenced finding |
| RelatedObservation | Relates the identified element to a set of referenced observations |
| RelatedTask | Identifies an individual task for which the containing object is a consequenc... |
| RelevantEvidence | Links this observation to relevant evidence |
| Removal | Specifies objects to be removed from a control based on aspects of the object... |
| RequiredAsset | Identifies an asset required to achieve remediation |
| Resource | A resource associated with content in the containing document instance |
| ResourceLink | A URL-based pointer to an external resource with an optional hash for verific... |
| Response | Describes either recommended or an actual plan for addressing the risk |
| ResponsibleParty | A reference to a set of persons and/or organizations that have responsibility... |
| ImplementationResponsibleParty | Implementation-common scoped responsible party |
| SspSystemCharacteristicsResponsibleParty | SSP-scoped responsible party for system characteristics |
| ResponsibleRole | A reference to a role with responsibility for performing a function relative ... |
| ImplementationResponsibleRole | Implementation-common scoped responsible role |
| SspByComponentResponsibleRole | SSP-scoped responsible role used by by-component contexts |
| SspImplementedRequirementResponsibleRole | SSP-scoped responsible role used by implemented requirement and statement con... |
| Result | Identifies all of the assessment observations and findings, initial and resid... |
| ResultLocalDefinitions | Used to define local implementation and assessment assets referenced by a res... |
| ReviewedControls | Identifies the controls being assessed and their control objectives |
| Revision | An entry in a sequential list of revisions to the containing document |
| Risk | An identified risk |
| RiskLog | A log of all risk-related tasks taken |
| RiskLogEntry | Identifies an individual risk response that occurred as part of managing an i... |
| RiskResponseReference | Identifies an individual risk response that this log entry is for |
| Role | Defines a function, which might be assigned to a party in a specific situatio... |
| SatisfiedControlImplementation | Describes how this system satisfies a responsibility imposed by a leveraged s... |
| SecurityImpactLevel | The overall level of expected impact resulting from unauthorized disclosure, ... |
| SelectControlById | Select a control or controls from an imported control set |
| SelectObjectiveById | Used to select a control objective for inclusion/exclusion |
| SelectSubjectById | Identifies a set of assessment subjects to include/exclude by UUID |
| SetParameter | Identifies the parameter that will be set by the enclosed value |
| SspControlImplementation | Describes how the system satisfies a set of controls |
| SspImplementedRequirement | Describes how the system satisfies an individual control |
| SspStatement | Identifies which statements within a control are addressed |
| Step | Identifies an individual step in a series of steps related to an activity, su... |
| SubjectReference | A human-oriented identifier reference to a resource |
| SystemCharacteristics | Contains the characteristics of the system, such as its name, purpose, and se... |
| SystemComponent | A defined component that can be part of an implemented system |
| SspSystemComponent | SSP-scoped system component with allows-authenticated-scan property typing |
| SystemId | A human-oriented, globally unique identifier for a system |
| SystemImplementation | Provides information as to how the system is implemented |
| SystemInformation | Contains details about all information types that are stored, processed, or t... |
| SystemSecurityPlan | A system security plan, such as those described in NIST SP 800-18 |
| SystemStatus | Describes the operational status of the system |
| SystemUser | A type of user that interacts with the system based on an associated role |
| Task | Represents a scheduled event or milestone, which may be associated with a ser... |
| TaskDependency | Used to indicate that a task is dependent on another task |
| TelephoneNumber | A telephone service number as defined by ITU-T E |
| TermsAndConditions | Used to define various terms and conditions under which an assessment can be ... |
| ThreatId | A pointer, by ID, to an externally-defined threat |
| UsesComponent | The set of components that are used by the assessment platform |
| WithinDateRange | The task is intended to occur within the specified date range |
Slots
| Slot | Description |
|---|---|
| _class | A textual label that provides a sub-type or characterization |
| actions | An action applied by a role within a given party to the content |
| activities | A collection of activities |
| activity_uuid | A UUID reference to an activity |
| actor_uuid | A machine-oriented identifier reference to the tool or person based on the as... |
| actors | The actor that produces an observation, a finding, or a risk |
| addr_lines | A single line of an address |
| address | A postal address for the location |
| addresses | Postal addresses associated with the containing object |
| adds | Specifies content to be added into a control in resolution |
| adjustment_justification | If the selected security level is different from the base security level, thi... |
| algorithm | The digest method by which a hash is derived |
| alters | Specifies changes to be made to included controls in resolution |
| as_is | When true, retain the original grouping structure as defined in the import so... |
| assessment_assets | Identifies the assets used to perform this assessment |
| assessment_log | A log of assessment-related actions taken |
| assessment_plan | The root assessment plan object |
| assessment_platforms | A collection of assessment platforms |
| assessment_results | The root assessment results object |
| assessment_subjects | Identifies system elements being assessed |
| associated_activities | Activities associated with this task |
| at_frequency | The task is intended to occur at the specified frequency |
| attestations | A set of attestation statements for the result |
| authorization_boundary | A description of this system's authorization boundary, optionally supplemente... |
| authorized_privileges | A collection of authorized privileges |
| availability_impact | The expected level of impact resulting from the disruption of access to or us... |
| back_matter | A collection of resources that may be referenced from within the OSCAL docume... |
| base | The prescribed base (Confidentiality, Integrity, or Availability) security im... |
| base64 | A resource encoded using the Base64 alphabet defined by RFC 2045 |
| by_class | Identify items to remove by their class label |
| by_components | Defines how the referenced component implements a set of controls |
| by_id | Identify or target items by their id value |
| by_item_name | Identify items to remove by the item's information object type name |
| by_name | Identify items to remove by their assigned name |
| by_ns | Identify items to remove by the item's namespace |
| capabilities | Capability groupings for the defined components |
| caption | A brief caption to annotate the diagram |
| catalog | Root catalog document |
| categorizations | A set of information type identifiers qualified by the given identification s... |
| category | Confidence category label or qualifier category value |
| characterizations | Supporting information about the risk and how it relates to the system |
| choice | A value selection among several such options |
| citation | An optional citation consisting of end note text using structured markup |
| city | City, town or geographical region for the mailing address |
| collected | Date/time stamp identifying when the finding information was collected |
| combine | Defines how to resolve duplicate instances of the same control |
| component_definition | The root component-definition object |
| component_uuid | A UUID reference to a component |
| components | A collection of system components |
| confidence_score | Confidence descriptor for a mapping |
| confidentiality_impact | The expected level of impact resulting from the unauthorized disclosure of th... |
| constraints | A formal or informal expression of a constraint or test |
| control_id | A reference to a control by its identifier |
| control_implementation | Describes how the system satisfies a set of controls |
| control_implementations | Control implementation sets for a component or capability |
| control_objective_selections | Identifies the control objectives of the assessment |
| control_selections | Identifies the controls being assessed |
| controls | A collection of controls |
| country | The ISO 3166-1 alpha-2 country code for the mailing address |
| coverage | Coverage metadata for a mapping |
| custom | Provides an alternate grouping structure that selected controls will be place... |
| data_flow | A description of the logical flow of information within the system and across... |
| date | The date and time when the action occurred |
| date_authorized | The date the system received its authorization |
| deadline | The date/time by which the risk must be resolved |
| dependencies | Tasks that this task depends on |
| depends_on | (deprecated) Another parameter invoking this one |
| description | A human-readable description |
| diagrams | A collection of diagrams that visually depict the subject |
| document_ids | Document identifiers qualified by an identifier scheme |
| email_addresses | Email addresses associated with the containing object |
| end | The end date/time |
| entries | Identifies an individual risk response that occurred as part of managing an i... |
| exclude_controls | Control-selection entries to exclude in the containing OSCAL context |
| exclude_objectives | Objectives to exclude from the assessment |
| exclude_subjects | Assessment subjects to exclude |
| expires | Date/time identifying when the finding information is no longer considered va... |
| export | Defines a set of control implementations that are provided as reference imple... |
| expression | A formal (executable) expression of a constraint |
| external_ids | An identifier for a person or organization using a designated scheme, e |
| facets | An individual characteristic that is part of a larger set produced by the sam... |
| filename | Name of the file before it was encoded as Base64 to be embedded in a resource |
| finding_uuid | A UUID reference to a finding |
| findings | A collection of findings captured in the containing context |
| flat | Directs that controls appear without any grouping structure |
| functions_performed | Describes a function performed for a given authorized privilege |
| generation_method | Method used to determine the coverage value |
| group | An identifier for relating distinct sets of properties |
| groups | A collection of control groups |
| guidelines | A prose statement that provides a recommendation for the use of a parameter |
| hashes | A representation of a cryptographic digest generated over a resource using a ... |
| how_many | Describes the number of selections that must occur |
| href | A resolvable URL reference to a resource |
| id | A unique human-oriented identifier within a particular context |
| id_ref | Identifier reference of a source/target subject |
| identified_subject | Used to detail assessment subjects that were identified by this task |
| identifier | A document identifier value |
| identifier_type | A human-readable label for a specific identifier scheme |
| implementation_statement_uuid | A reference to the implementation statement in the SSP to which this finding ... |
| implementation_status | Identifies the implementation status of the control |
| implementation_uuid | A machine-oriented, globally unique identifier with cross-instance scope that... |
| implemented_components | A collection of implemented components |
| implemented_requirements | Control implementation requirement entries in the containing OSCAL context |
| import_ap | Used to import information about the governing assessment plan |
| import_component_definitions | Component-definition resources imported into this document |
| import_profile | Used to import the OSCAL profile representing the system's control baseline |
| import_ssp | Used to import information about the system from an SSP |
| imports | Designates source catalog or profile resources to be imported into the profil... |
| include_all | Include all selectable objects in the containing OSCAL selection context |
| include_controls | Control-selection entries to include in the containing OSCAL context |
| include_objectives | Objectives to include in the assessment |
| include_subjects | Assessment subjects to include |
| incorporates_components | Component references incorporated by a capability |
| information_type_ids | An identifier qualified by the given identification system used, such as NIST... |
| information_types | Contains details about one information type that is stored, processed, or tra... |
| inherited | Describes a control implementation inherited by a leveraging system |
| insert_controls | Specifies which controls to use in the containing context |
| integrity_impact | The expected level of impact resulting from the unauthorized modification of ... |
| inventory_items | A collection of inventory items |
| label | A short, placeholder name for the parameter, which can be used as a substitut... |
| last_modified | The date and time the document was last modified |
| leveraged_authorizations | A description of another authorized system from which this system inherits ca... |
| lifecycle | Identifies whether this is a recommendation or an actual plan |
| links | A list of links |
| local_definitions | Used to define data objects that do not appear in the referenced SSP |
| location_uuids | Reference to a location by UUID |
| locations | A physical point of presence, which may be associated with people, organizati... |
| logged_by | Used to indicate who created a log entry in what role |
| mapping_collection | The root mapping collection object |
| mapping_description | Description of the context and intended use of the mapping |
| mappings | A collection of control mappings |
| maps | Mapping entries relating source items to target items |
| matching | Selecting a set of controls by matching their IDs with a wildcard pattern |
| matching_rationale | The rationale method used to relate mapped items |
| media_type | A label that indicates the nature of a resource, as a data serialization or f... |
| member_of_organizations | A reference to another party by UUID, typically an organization, that this su... |
| merge | Structuring directives for how controls are organized after profile resolutio... |
| metadata | Provides information about the containing document, and defines concepts shar... |
| method | Method indicator used by the containing OSCAL context |
| methods | Identifies how the observation was made |
| mitigating_factors | Describes existing mitigating factors that may affect the overall determinati... |
| modify | Set parameters or amend controls in resolution |
| name | A textual label that uniquely identifies an attribute or semantic type |
| network_architecture | A description of the system's network architecture, optionally supplemented w... |
| ns | An optional namespace qualifying a name |
| number | A telephone number value |
| objective_id | Reference to a control objective by its identifier |
| objectives_and_methods | A collection of locally-defined control objectives |
| observation_uuid | A machine-oriented identifier reference to an observation defined in the list... |
| observations | A collection of observations captured in the containing context |
| on_date | The task is intended to occur on the specified date |
| order | A designation of how a selection of controls is to be ordered |
| origin | The source of the finding |
| origins | Identifies the source of observations, findings, or risks |
| oscal_version | The OSCAL model version the document was authored against and will conform to... |
| param_id | The identifier for the parameter being set or referenced |
| params | Parameters providing a mechanism for the dynamic assignment of value(s) in a ... |
| part | An assessment part |
| parties | An organization or person, which may be associated with roles or other concep... |
| parts | A collection of parts |
| party_uuid | A machine-oriented identifier reference to the party who is making the log en... |
| party_uuids | References to party UUIDs |
| pattern | A glob expression matching the IDs of one or more controls to be selected |
| percentage | A decimal percentage value in the range 0 to 1 |
| period | The task must occur every period (in the given units) |
| plan_of_action_and_milestones | The root plan of action and milestones object |
| poam_items | A collection of POA&M items |
| port_ranges | Where applicable, the transport layer protocol port range |
| position | Where to add new content relative to the targeted element |
| postal_code | Postal or ZIP code for mailing address |
| predicate | Predicate describing qualifier semantics |
| profile | The root profile object |
| props | A list of properties |
| prose | Permits multiple paragraphs, lists, tables etc |
| protocols | Information about the protocol used to provide a service |
| provenance | Global provenance and mapping method metadata |
| provided | Describes a capability which may be inherited by a leveraging system |
| provided_uuid | Machine-oriented identifier reference to an inherited control implementation ... |
| published | The date and time the document was last made available |
| purpose | A summary of the technological or business purpose of the component |
| qualifiers | Qualifier statements for a mapping entry |
| reason | The reason the objective was given its status |
| rel | Describes the type of relationship provided by the link's hypertext reference |
| related_controls | A reference to reviewed controls for this activity or step |
| related_findings | Relates a POA&M item to one or more findings |
| related_observations | Relates the containing object to a set of referenced observations |
| related_responses | Identifies an individual risk response that this log entry is for |
| related_risks | Relates the finding to a set of referenced risks |
| related_tasks | Identifies tasks for which the containing object is a consequence |
| relationship | Relationship type for a mapping entry |
| relevant_evidence | Links the observation to relevant evidence |
| remarks | Additional commentary about the containing object |
| remediations | Describes either recommended or actual responses to a risk |
| removes | Specifies objects to be removed from a control in resolution |
| required_assets | Identifies an asset required to achieve remediation |
| resource_fragment | In case where the href points to a back-matter/resource, this value will indi... |
| resources | A resource associated with content in the containing document instance |
| response_uuid | A machine-oriented identifier reference to a unique risk response |
| responsibilities | Describes a control implementation responsibility imposed on a leveraging sys... |
| responsibility_uuid | Machine-oriented identifier reference to a control implementation responsibil... |
| responsible_parties | Responsible party assignments |
| responsible_roles | Responsible role assignments |
| results | A collection of assessment results |
| reviewed_controls | Identifies the controls being assessed and their control objectives |
| revisions | An entry in a sequential list of revisions to the containing document, expect... |
| risk_log | A log of all risk-related tasks taken |
| risk_uuid | A machine-oriented identifier reference to a risk defined in the list of risk... |
| risks | A collection of risks captured in the containing context |
| rlinks | A URL-based pointer to an external resource with an optional hash for verific... |
| role_id | A reference to a role by its identifier |
| role_ids | Role identifiers associated with the user |
| roles | Defines a function, which might be assigned to a party in a specific situatio... |
| satisfied | Describes how this system satisfies a responsibility imposed by a leveraged s... |
| scheme | Qualifies the kind of identifier using a URI |
| security_impact_level | The overall level of expected impact resulting from unauthorized disclosure, ... |
| security_objective_availability | A target-level of availability for the system, based on the sensitivity of in... |
| security_objective_confidentiality | A target-level of confidentiality for the system, based on the sensitivity of... |
| security_objective_integrity | A target-level of integrity for the system, based on the sensitivity of infor... |
| security_sensitivity_level | The overall information system sensitivity categorization, such as defined by... |
| select | Presenting a choice among alternatives |
| selected | The selected (Confidentiality, Integrity, or Availability) security impact le... |
| set_parameters | Parameter-setting entries applied in the containing OSCAL context |
| short_name | A short common name, abbreviation, or acronym |
| source | Reference to an external catalog or profile resource |
| source_gap_summary | Summary of unmapped source controls |
| source_resource | Reference to the mapping source resource |
| sources | Source references or source-participation entries in the containing OSCAL con... |
| start | The start date/time |
| state | State, province or analogous geographical region for a mailing address |
| statement | An assessor's summary of the risk, in narrative form |
| statement_id | A reference to a control statement identifier |
| statement_ids | Statement IDs for control selection |
| statements | Control statement implementation entries in the containing OSCAL context |
| status | Status indicator used by the containing OSCAL context |
| status_change | Identifies the risk change that prompted the log entry |
| steps | A collection of steps in an activity |
| subject | Subject to which the qualifier applies |
| subject_placeholder_uuid | A reference to an assessment subject placeholder defined in the assessment pl... |
| subject_uuid | A UUID reference to the identified subject |
| subjects | Assessment subjects or subject references for this object |
| system | Specifies the action type system used |
| system_characteristics | Contains the characteristics of the system, such as its name, purpose, and se... |
| system_id | A human-oriented, globally unique identifier for a system |
| system_ids | Unique identifiers for the system |
| system_implementation | Provides information as to how the system is implemented |
| system_information | Contains details about all information types that are stored, processed, or t... |
| system_name | The full name of the system |
| system_name_short | A short name for the system, such as an acronym, that is suitable for display... |
| system_security_plan | A system security plan, such as those described in NIST SP 800-18 |
| system_status | Describes the operational status of the system |
| target | Identifies the target of a finding |
| target_coverage | Percentage coverage of targets by sources |
| target_gap_summary | Summary of unmapped target controls |
| target_id | Identifies the specific target qualified by the type |
| target_resource | Reference to the mapping target resource |
| targets | Target subjects participating in a mapping entry |
| task_uuid | A UUID reference to a task |
| tasks | A collection of tasks |
| telephone_numbers | Telephone numbers associated with the containing object |
| terms_and_conditions | Terms and conditions under which an assessment can be performed |
| tests | A test expression which is expected to be evaluated by a tool |
| text | A textual label to associate with the containing object |
| threat_ids | The referenced threat identifiers |
| timing | The timing under which a task is intended to occur |
| title | A human-readable name or title |
| transport | Indicates the transport type |
| type | Indicates the nature or kind of the containing object |
| types | Identifies the nature of the observation |
| unit | The unit of time for the period |
| unmapped_controls | Controls that remain unmapped |
| urls | The uniform resource locator (URL) for a web site or other resource associate... |
| usage | Describes the purpose and use of a parameter |
| users | A collection of system users |
| uses_components | The set of components used by the assessment platform |
| uuid | A machine-oriented, globally unique identifier with a cross-instance scope |
| value | The value associated with the containing object |
| values | A parameter value or set of values |
| version | Used to distinguish a specific revision of an OSCAL document from other previ... |
| with_child_controls | When a control is included, whether its child (dependent) controls are also i... |
| with_ids | Selecting a control by its ID given as a literal |
| within_date_range | The task is intended to occur within the specified date range |
Enumerations
| Enumeration | Description |
|---|---|
| ActionSystemEnum | Curated OSCAL action system values |
| ActionTypeEnum | Allowed OSCAL action type values |
| AdditionPositionEnum | Where new content is added relative to the targeted element |
| AddressTypeEnum | Curated address type values |
| AllowsAuthenticatedScanEnum | Values for allows-authenticated-scan property in SSP component and inventory ... |
| AlterationPropNameEnum | Allowed OSCAL property names for profile modification additions |
| AssessmentPartNameEnum | Curated assessment part name values |
| AssessmentSubjectTypeEnum | Curated assessment subject type values |
| AssuranceLevelValueEnum | NIST SP 800-63 assurance level values |
| ByComponentLinkRelEnum | Curated relation values for links in by-component objects |
| ByComponentResponsibleRoleIdEnum | Curated role identifiers for by-component responsible roles |
| ByItemNameEnum | Identifies content to remove by the item's object type name |
| CloudDeploymentModelEnum | Cloud deployment model values used by OSCAL SSP properties |
| CloudServiceModelEnum | Cloud service model values used by OSCAL SSP properties |
| CombinationMethodEnum | Methods for resolving duplicate control instances during merge |
| ComponentStateEnum | |
| ComponentTypeEnum | Curated component type values |
| ConfidenceCategoryEnum | Curated confidence category values for OSCAL mappings |
| ControlLinkRelEnum | Curated OSCAL link relation values for catalog controls |
| ControlObjectivePartMethodPropValueEnum | Allowed OSCAL method property values for control objectives |
| ControlObjectivePartSubpartNameEnum | Allowed OSCAL subpart names for control objective parts |
| ControlOriginationPropNameEnum | OSCAL-defined property names used in implementation statements |
| ControlOriginationValueEnum | Control origination values |
| ControlPartNameEnum | Allowed top-level OSCAL part names for catalog controls |
| ControlPropNameEnum | Allowed OSCAL property names for catalog controls |
| ControlPropStatusValueEnum | Allowed OSCAL status property values for catalog controls |
| ControlStatementPartNameEnum | Allowed OSCAL part names for control statement parts |
| ControlStatementPartPropNameEnum | Allowed OSCAL property names for control statement parts |
| ControlStatementPartRmfPropNameEnum | Allowed OSCAL RMF property names for control statement parts |
| ControlStatementPartSubpartNameEnum | Allowed OSCAL subpart names for control statement parts |
| CoverageGenerationMethodEnum | Curated coverage generation method values |
| DiagramLinkRelEnum | Curated relation values for links in diagram objects |
| DocumentIdSchemeEnum | Curated document identifier scheme values |
| FindingTargetTypeEnum | |
| Fips199ImpactLevelEnum | Curated FIPS 199 impact level values |
| GroupPartNameEnum | Allowed OSCAL part names for catalog groups |
| HashAlgorithmEnum | Curated hash algorithm values |
| ImplementationAssetTypeEnum | Curated implementation asset type values |
| ImplementationDirectionEnum | |
| ImplementationIpAddressClassEnum | |
| ImplementationLinkRelEnum | Curated implementation-common link relation values |
| ImplementationPointEnum | |
| ImplementationPropNameEnum | Allowed OSCAL implementation-common property names |
| ImplementationResponsibleRoleIdEnum | Curated implementation-common role identifiers used in responsible role and r... |
| ImplementationStatusStateEnum | Curated implementation status state values |
| ImplementationYesNoEnum | Implementation-common yes/no value set used by several properties |
| ImplementedRequirementResponsibleRoleIdEnum | Curated role identifiers for implemented requirement and statement responsibl... |
| InformationTypeCategorizationSystemEnum | Curated information type categorization system URIs |
| InsertOrderEnum | Ordering options for a selection of controls |
| InterconnectionResponsibleRoleIdEnum | Curated interconnection responsible-role identifiers |
| LeveragedAuthorizationLinkRelEnum | Curated relation values for links in leveraged authorization objects |
| LocationDataCenterClassEnum | Curated OSCAL location class values for data-center type |
| LocationPropNameEnum | Allowed OSCAL property names for metadata locations |
| LocationPropTypeEnum | Curated OSCAL location type property values |
| MappingMethodEnum | |
| MappingResourceTypeEnum | Curated mapped resource type values |
| MappingStatusEnum | |
| MappingSubjectTypeEnum | |
| MatchingRationaleEnum | |
| MetadataLinkRelEnum | Curated metadata link relation values |
| MetadataPropNameEnum | Allowed OSCAL property names for metadata |
| MetadataResponsiblePartyRoleIdEnum | Curated metadata responsible-party role identifiers |
| ObjectiveStatusReasonEnum | Curated objective status reason values |
| ObjectiveStatusStateEnum | |
| ObservationMethodEnum | Curated observation method values |
| ObservationTypeEnum | Curated observation type values |
| OriginActorTypeEnum | |
| OscalAssessmentObjectiveTypesEnum | Values from assessment-common set oscal-assessment-objective-types |
| OscalCharacterizationFacetNameSystemValuesEnum | Values from assessment-common set oscal-characterization-facet-name-system-va... |
| OscalCvssV40AcValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40AtValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40AuValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40AvValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40EnvCiaValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40EValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40MacValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40MatValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40MavValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40MprMvsCiaValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40MscValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40MsiMsaCiaValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40MuiValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40PrCiaValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40ReValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40RValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40SValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40UiValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40UValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40VectorsEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalCvssV40VValuesEnum | Values from assessment-common set oscal-cvss-v4 |
| OscalFacetCveValuesEnum | Values from assessment-common set oscal-facet-cve-values |
| OscalFacetCvss2AccessComplexityValuesEnum | Values from assessment-common set oscal-facet-cvss2-access-complexity-values |
| OscalFacetCvss2AccessVectorValuesEnum | Values from assessment-common set oscal-facet-cvss2-access-vector-values |
| OscalFacetCvss2AuthenticationValuesEnum | Values from assessment-common set oscal-facet-cvss2-authentication-values |
| OscalFacetCvss2CiaRequirementValuesEnum | Values from assessment-common set oscal-facet-cvss2-cia-requirement-values |
| OscalFacetCvss2CollateralDamagePotentialValuesEnum | Values from assessment-common set oscal-facet-cvss2-collateral-damage-potenti... |
| OscalFacetCvss2ConfidentialityImpactValuesEnum | Values from assessment-common set oscal-facet-cvss2-confidentiality-impact-va... |
| OscalFacetCvss2ExploitabilityValuesEnum | Values from assessment-common set oscal-facet-cvss2-exploitability-values |
| OscalFacetCvss2NameValuesEnum | Values from assessment-common set oscal-facet-cvss2-name-values |
| OscalFacetCvss2RemediationLevelValuesEnum | Values from assessment-common set oscal-facet-cvss2-remediation-level-values |
| OscalFacetCvss2ReportConfidenceValuesEnum | Values from assessment-common set oscal-facet-cvss2-report-confidence-values |
| OscalFacetCvss3AccessComplexityValuesEnum | Values from assessment-common set oscal-facet-cvss3-access-complexity-values |
| OscalFacetCvss3AccessVectorValuesEnum | Values from assessment-common set oscal-facet-cvss3-access-vector-values |
| OscalFacetCvss3CiaImpactValuesEnum | Values from assessment-common set oscal-facet-cvss3-cia-impact-values |
| OscalFacetCvss3CiaRequirementValuesEnum | Values from assessment-common set oscal-facet-cvss3-cia-requirement-values |
| OscalFacetCvss3ExploitCodeMaturityValuesEnum | Values from assessment-common set oscal-facet-cvss3-exploit-code-maturity-val... |
| OscalFacetCvss3ModifiedAttackComplexityValuesEnum | Values from assessment-common set oscal-facet-cvss3-modified-attack-complexit... |
| OscalFacetCvss3ModifiedAttackVectorValuesEnum | Values from assessment-common set oscal-facet-cvss3-modified-attack-vector-va... |
| OscalFacetCvss3ModifiedCiaValuesEnum | Values from assessment-common set oscal-facet-cvss3-modified-cia-values |
| OscalFacetCvss3ModifiedScopeValuesEnum | Values from assessment-common set oscal-facet-cvss3-modified-scope-values |
| OscalFacetCvss3ModifiedUserInteractionValuesEnum | Values from assessment-common set oscal-facet-cvss3-modified-user-interaction... |
| OscalFacetCvss3NameValuesEnum | Values from assessment-common set oscal-facet-cvss3-name-values |
| OscalFacetCvss3RemediationLevelEnum | Values from assessment-common set oscal-facet-cvss3-remediation-level |
| OscalFacetCvss3ReportConfidenceValuesEnum | Values from assessment-common set oscal-facet-cvss3-report-confidence-values |
| OscalFacetCvss3ScopeEnum | Values from assessment-common set oscal-facet-cvss3-scope |
| OscalFacetCvss3UserInteractionEnum | Values from assessment-common set oscal-facet-cvss3-user-interaction |
| OscalFacetFedrampValuesEnum | Values from assessment-common set oscal-facet-fedramp-values |
| OscalFacetNameCoreValuesEnum | Values from assessment-common set oscal-facet-name-core-values |
| OscalFacetPropNameValuesEnum | Values from assessment-common set oscal-facet-prop-name-values |
| OscalFacetPropStateValuesEnum | Values from assessment-common set oscal-facet-prop-state-values |
| OscalResponsePropTypeValueEnum | Values from assessment-common set oscal-response-prop-type-value |
| OscalRiskPropNameValuesEnum | Values from assessment-common set oscal-risk-prop-name-values |
| OscalRiskPropTypeValuesEnum | Values from assessment-common set oscal-risk-prop-type-values |
| ParameterCardinalityEnum | |
| ParameterPropNameEnum | Allowed OSCAL property names for control-common parameters |
| PartPropNameEnum | Allowed OSCAL property names for control-common parts |
| PartyExternalIdSchemeEnum | Curated external identifier scheme values for metadata parties |
| PartyPropNameEnum | Allowed OSCAL property names for metadata parties |
| PartyTypeEnum | |
| PhoneTypeEnum | Curated telephone number type values |
| PrivacyDesignationEnum | Privacy designation property values |
| QualifierCategoryEnum | |
| QualifierPredicateEnum | |
| QualifierSubjectEnum | |
| RelationshipEnum | Relationship values used for mapping entries in the OSCAL namespace |
| ResourcePropNameEnum | Allowed OSCAL property names for back-matter resources |
| ResourcePropTypeEnum | Allowed OSCAL back-matter resource type property values |
| ResponseLifecycleEnum | Curated response lifecycle values |
| RevisionPropNameEnum | Allowed OSCAL property names for metadata revisions |
| RiskStatusEnum | Curated risk status values |
| RmfParameterPropNameEnum | Allowed OSCAL RMF parameter property names |
| SelectSubjectTypeEnum | Curated subject type values for subject selection |
| SystemCharacteristicsPropNameEnum | OSCAL-defined property names used within system characteristics |
| SystemCharacteristicsResponsibleRoleIdEnum | Curated role identifiers for system characteristics responsible parties |
| SystemIdentifierTypeEnum | Curated system identifier type URIs |
| SystemInformationLinkRelEnum | Curated relation values for links in system information |
| SystemInformationPropNameEnum | OSCAL-defined property names used within system information |
| SystemOperatingStatusEnum | Allowable operational states for an OSCAL-described system |
| TaskTypeEnum | Curated task type values |
| TermsAndConditionsPartNameEnum | Allowed part names in assessment plan terms-and-conditions |
| TimingUnitEnum | |
| TransportEnum | |
| UserPrivilegeLevelEnum | |
| UserTypeEnum | |
| WithChildControlsEnum |
Types
| Type | Description |
|---|---|
| Base64Type | Binary data encoded using Base64 as defined by RFC4648 |
| Boolean | A binary (true or false) value |
| Curie | a compact URI |
| Date | a date (year, month and day) in an idealized calendar |
| DateOrDatetime | Either a date or a datetime |
| Datetime | The combination of a date and time |
| DateTimeWithTimezoneType | A string representing a point in time with a required timezone |
| Decimal | A real number with arbitrary precision that conforms to the xsd:decimal speci... |
| Double | A real number that conforms to the xsd:double specification |
| EmailAddressType | An email address string formatted according to RFC 6531 |
| Float | A real number that conforms to the xsd:float specification |
| Integer | An integer |
| Jsonpath | A string encoding a JSON Path |
| Jsonpointer | A string encoding a JSON Pointer |
| MarkupLineType | A single line of Markdown content (no newlines) |
| MarkupMultilineType | Multiple lines of Markdown content |
| Ncname | Prefix part of CURIE |
| Nodeidentifier | A URI, CURIE or BNODE that represents a node in a model |
| NonNegativeIntegerType | A non-negative integer value (>= 0), as used for port range boundaries |
| Objectidentifier | A URI or CURIE that represents an object in the model |
| PositiveIntegerType | A positive integer value (>= 1), as used for task recurrence periods |
| Sparqlpath | A string encoding a SPARQL Property Path |
| String | A character string |
| Time | A time object represents a (local) time of day, independent of any particular... |
| TokenType | A non-colonized XML NCName token |
| Uri | a complete URI |
| Uriorcurie | a URI or a CURIE |
| URIReferenceType | A URI Reference, either a URI or relative-reference, per RFC3986 |
| URIType | A universal resource identifier formatted according to RFC3986 |
| UUIDType | A type 4 or type 5 UUID per RFC 4122 |
Subsets
| Subset | Description |
|---|---|
| AssessmentCommon | Classes originating from the oscal-assessment-common namespace: subjects, ass... |
| AssessmentPlan | Classes that form the root Assessment Plan document and its direct structural... |
| AssessmentResults | Classes that form the root OSCAL Assessment Results document and its assessme... |
| ComponentDefinition | Classes that form the root OSCAL Component Definition document and component-... |
| ImplementationCommon | Classes originating from the oscal-implementation-common namespace: system co... |
| MappingCollection | Classes that form the root OSCAL Mapping Collection document and mapping-spec... |
| OscalBackMatter | Classes originating from the oscal-metadata back-matter definition: back-matt... |
| OscalCatalog | Classes originating from the oscal-catalog namespace: the root catalog docume... |
| OscalControlCommon | Classes originating from the oscal-control-common namespace: parts, parameter... |
| OscalMetadata | Classes originating from the oscal-metadata namespace: document metadata, par... |
| Poam | Classes that form the root OSCAL Plan of Action and Milestones document and i... |
| Profile | Classes that form the root OSCAL Profile document and its profile-specific st... |
| Ssp | Classes that form the root OSCAL System Security Plan document and its SSP-sp... |