diff --git a/Makefile b/Makefile index b56e8f923..000075261 100644 --- a/Makefile +++ b/Makefile @@ -138,11 +138,17 @@ docs-clean: clean-tmp # Utilities # ============================================================================ -.PHONY: gen-oscal simplified-catalog check-for-changes clean clean-env +.PHONY: download-oscal gen-oscal gen-oscal-namespace simplified-catalog check-for-changes clean clean-env + +download-oscal: ## Download latest OSCAL release schemas and metaschemas + python3 scripts/download_oscal.py gen-oscal: clean-tmp ## Generate OSCAL Python models from JSON schemas hatch run python ./scripts/gen_oscal.py +gen-oscal-namespace: ## Generate OSCAL namespace YAML from metaschemas + hatch run python ./scripts/extract_oscal_namespace.py + simplified-catalog: ## Generate simplified NIST catalog for testing hatch run python ./scripts/simplify_retain_ac.py ./nist-content/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json ./tests/data/json/simplified_nist_catalog.json diff --git a/ns-catalog.txt b/ns-catalog.txt new file mode 100644 index 000000000..eda37832d --- /dev/null +++ b/ns-catalog.txt @@ -0,0 +1,152 @@ + +================================================================================ +Namespace: http://csrc.nist.gov/ns/oscal +================================================================================ + + +[1/20] .//part[@name] (oscal-catalog) + Values: 2, allow_other=False + - objective + - assessment-objective + +[2/20] ./type[@value] (oscal-metadata) + Values: 2, allow_other=False + - approval + - request-changes + +[3/20] .[@name] (oscal-metadata) + Values: 1, allow_other=False + - marking + +[4/20] back-matter/prop[@name] (oscal-metadata) + Values: 3, allow_other=False + - type + - version + - published + +[5/20] back-matter/prop[@value] where name=type (oscal-metadata) + Values: 24, allow_other=False + - logo + - image + - screen-shot + - law + - regulation + - standard + - external-guidance + - acronyms + - citation + - policy + - procedure + - system-guide + - users-guide + - administrators-guide + - rules-of-behavior + - plan + - artifact + - evidence + - tool-output + - raw-data + - interview-notes + - questionnaire + - report + - agreement + +[6/20] control/part[@name] (oscal-catalog) + Values: 6, allow_other=False + - overview + - statement + - guidance + - example + - assessment + - assessment-method + +[7/20] control/prop[@name] (oscal-catalog) + Values: 4, allow_other=False + - label + - sort-id + - alt-identifier + - status + +[8/20] control/prop[@value] where name=status (oscal-catalog) + Values: 2, allow_other=False + - withdrawn + - Withdrawn + +[9/20] group/part[@name] (oscal-catalog) + Values: 2, allow_other=False + - overview + - instruction + +[10/20] group/prop[@name] (oscal-catalog) + Values: 3, allow_other=False + - label + - sort-id + - alt-identifier + +[11/20] has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='statement']//part[@name] (oscal-catalog) + Values: 1, allow_other=False + - item + +[12/20] has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[@name] (oscal-catalog) + Values: 2, allow_other=False + - objects + - assessment-objects + +[13/20] has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[@name] (oscal-catalog) + Values: 1, allow_other=False + - method + +[14/20] has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[@value] where name=method (oscal-catalog) + Values: 3, allow_other=False + - INTERVIEW + - EXAMINE + - TEST + +[15/20] metadata/prop[@class] where name=type, value=data-center (oscal-metadata) + Values: 2, allow_other=True + - primary + - alternate + +[16/20] metadata/prop[@name] (oscal-catalog) + Values: 2, allow_other=False + - resolution-tool + - source-profile-uuid + - type + - mail-stop + - office + - job-title + - keywords + +[17/20] metadata/prop[@name] (oscal-metadata) + Values: 5, allow_other=False + - type + - mail-stop + - office + - job-title + - keywords + +[18/20] metadata/prop[@value] where name=type (oscal-metadata) + Values: 1, allow_other=True + - data-center + +[19/20] parameter/prop[@name] (oscal-control-common) + Values: 4, allow_other=False + - label + - sort-id + - alt-identifier + - alt-label + +[20/20] part/prop[@name] (oscal-control-common) + Values: 3, allow_other=False + - label + - sort-id + - alt-identifier + +================================================================================ +Namespace: http://csrc.nist.gov/ns/rmf +================================================================================ + + +[1/1] parameter/prop[@name] (oscal-control-common) + Values: 1, allow_other=False + - aggregates diff --git a/release-metaschemas/oscal_assessment-common_metaschema_RESOLVED.xml b/release-metaschemas/oscal_assessment-common_metaschema_RESOLVED.xml new file mode 100644 index 000000000..67eca2921 --- /dev/null +++ b/release-metaschemas/oscal_assessment-common_metaschema_RESOLVED.xml @@ -0,0 +1,2257 @@ + + + OSCAL Assessment Layer Format -- Common Modules + 1.2.1 + oscal-assessment-common + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

This contains all modules common to the assessment plan, assessment results, and POAM models.

+

The root of the OSCAL Assessment Plan format is assessment-plan.

+

The root of the OSCAL Assessment Results format is assessment-results.

+

The root of the OSCAL Plan of Action and Milestones (POA&M) format is plan-of-action-and-milestones.

+
+ + + + + + Import System Security Plan + Used by the assessment plan and POA&M to import information about the system. + + System Security Plan Reference + A resolvable URL reference to the system security plan for the system being assessed. + +

This value may be one of:

+
    +
  1. an absolute URI that points to a network resolvable resource,
  2. +
  3. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  4. +
  5. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
  6. +
+
+
+ + + +
+ + Assessment-Specific Control Objective + A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions. + + +

The specified control-id must be a valid value within the baseline identified by the target system's SSP via the import-profile statement.

+
+
+ + + Objective Description + A human-readable description of this control objective. + + + + + + + + + + + + + + + **(deprecated)** Use 'assessment-objective' instead. + **(deprecated)** Use 'assessment-method' instead. + The part defines an assessment objective. + The part defines an assessment method. + + + + + + +
+ + Assessment Method + A local definition of a control objective. Uses catalog syntax for control objective and assessment activities. + + Assessment Method Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Assessment Method Description + A human-readable description of this assessment method. + + + + + + + + + + + + + Activity + Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment. + + Assessment Activity Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Included Activity Title + The title for this included activity. + + + Included Activity Description + A human-readable description of this included activity. + + + + + + + + + Step + Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure. + + + Step Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Step Title + The title for this step. + + + Step Description + A human-readable description of this step. + + + + + + + + + +

This can be optionally used to define the set of controls and control objectives that are assessed by this step.

+
+
+ + + +

Identifies the roles, and optionally the parties, associated with this step that is part of an assessment activity.

+
+
+ +
+ + + + +

Since multiple party-uuid entries can be provided, each role-id must be referenced only once.

+
+
+
+
+ + related-controls + +

This can be optionally used to define the set of controls and control objectives that are assessed or remediated by this activity.

+
+
+ + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+ +
+ + + + The assessment method to use. This typically appears on parts with the name "assessment". + + + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). + The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. + + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ + Task + Represents a scheduled event or milestone, which may be associated with a series of assessment actions. + + Task Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + Task Type + The type of task. + + + The task represents a planned milestone. + The task represents a specific assessment action to be performed. + + + + + + Task Title + The title for this task. + + + Task Description + A human-readable description of this task. + + + + + + + + + Event Timing + The timing under which the task is intended to occur. + + + + On Date Condition + The task is intended to occur on the specified date. + + On Date Condition + The task must occur on the specified date. + + + + + + + + On Date Range Condition + The task is intended to occur within the specified date range. + + Start Date Condition + The task must occur on or after the specified date. + + + End Date Condition + The task must occur on or before the specified date. + + + + + + + + Frequency Condition + The task is intended to occur at the specified frequency. + + Period + The task must occur after the specified period has elapsed. + + + Time Unit + The unit of time for the period. + + + The period is specified in seconds. + The period is specified in minutes. + The period is specified in hours. + The period is specified in days. + The period is specified in calendar months. + The period is specified in calendar years. + + + + + + + + + + + + + Task Dependency + Used to indicate that a task is dependent on another task. + + + Task Universally Unique Identifier Reference + + A machine-oriented identifier reference to a unique task. + + + + + + + + + + Associated Activity + Identifies an individual activity to be performed as part of a task. + + + Activity Universally Unique Identifier Reference + + A machine-oriented identifier reference to an activity defined in the list of activities. + + + + + + + + + + + +

Identifies the person or organization responsible for performing a specific role defined by the activity.

+
+
+ + + subject + + + + +
+ + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ + subject + + +

The assessment subjects that the activity was performed against.

+
+
+ + + +

Identifies the person or organization responsible for performing a specific role related to the task.

+ +
+
+ +
+
+ + + Reviewed Controls and Control Objectives + Identifies the controls being assessed and their control objectives. + + + Control Objective Description + A human-readable description of control objectives. + + + + + + + + + Assessed Controls + Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan. + + + + Assessed Controls Description + A human-readable description of in-scope controls specified for assessment. + + + + + + + + + + + include-control + + +

Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.

+
+
+
+ + exclude-control + + +

Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.

+
+
+ +
+ +

The include-all, specifies all control identified in the baseline are included in the scope if this assessment, as specified by the include-profile statement within the linked SSP.

+

Any control specified within exclude-controls must first be within a range of explicitly included controls, via include-controls or include-all.

+
+
+ + Referenced Control Objectives + Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan. + + + + Control Objectives Description + A human-readable description of this collection of control objectives. + + + + + + + + + + + include-objective + + +

Used to select a control objective for inclusion by the control objective's identifier.

+
+
+
+ + exclude-objective + + +

Used to select a control objective for exclusion by the control objective's identifier.

+
+
+ +
+ +

The include-all field, specifies all control objectives for any in-scope control. In-scope controls are defined in the control-selection.

+

Any control objective specified within exclude-controls must first be within a range of explicitly included control objectives, via include-objectives or include-all.

+
+
+ +
+ +

In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.

+

When resolving the selection of controls and control objectives, the following processing will occur:

+

1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.

+

2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.

+
+
+ + Select Control + Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the assessment scope. + + + + Include Specific Statements + Used to constrain the selection to only specificity identified statements. + + + + + + Select Objective + Used to select a control objective for inclusion/exclusion based on the control objective's identifier. + + + + + + + + + Assessment Subject Placeholder + Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log. + + Assessment Subject Placeholder Universally Unique Identifier + + A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Assessment Subject Placeholder Description + A human-readable description of intent of this assessment subject placeholder. + + + Assessment Subject Source + Assessment subjects will be identified while conducting the referenced activity-instance. + + + Task Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + + + + + + + + + + + + + + Subject of Assessment + Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope. + + Subject Type + Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement. + + + + The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results. + The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results. + The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results. + The referenced assessment subject is a person or team to interview, who is defined as a party in the metadata of the SSP, Assessment Plan, or Assessment Results. + The referenced assessment subject is a user defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results. + + + + + + Include Subjects Description + A human-readable description of the collection of subjects being included in this assessment. + + + + + + + + + + + include-subject + + + + + exclude-subject + + + + + +

Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.

+
+
+ + Select Assessment Subject + Identifies a set of assessment subjects to include/exclude by UUID. + + + type + + + + + + + + + + + + + Subject Universally Unique Identifier Reference + + A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID. + + + Subject Universally Unique Identifier Reference Type + Used to indicate the type of object pointed to by the uuid-ref within a subject. + + + + Component + Inventory Item + Location + Interview Party + User + Resource or Artifact + + + + + Identifies the Subject + + A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. + + + type + + + + + Subject Reference Title + The title or name for the referenced subject. + + + + + + + + + + +

The subject reference UUID could point to an item defined in the SSP, AP, or AR.

+

Tools should check look for the ID in every file imported directly or indirectly.

+
+
+ + + Assessment Assets + Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions. + + + component + + +

Used to add any components for tools used during the assessment. These are represented here to avoid mixing with system components.

+

The technology tools used by the assessor to perform the assessment, such as vulnerability scanners. In the assessment plan these are the intended tools. In the assessment results, these are the actual tools used, including any differences from the assessment plan.

+
+
+ + Assessment Platform + Used to represent the toolset used to perform aspects of the assessment. + + + Assessment Platform Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Assessment Platform Title + The title or name for the assessment platform. + + + + + + + + + Uses Component + The set of components that are used by the assessment platform. + + + Component Universally Unique Identifier Reference + + A machine-oriented identifier reference to a component that is implemented as part of an inventory item. + + + + + + + + + + + + + + + + + +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ +
+
+
+ + + + +

Since multiple assessment component entries can be provided, each component must have a unique uuid.

+
+
+
+
+ + + Objective Status + Captures an assessor's conclusions regarding the degree to which an objective is satisfied. + + Finding Target Type + Identifies the type of the target. + + + A reference to a control statement identifier within a control. + A reference to a control objective identifier within a control. + + + +

The target will always be a reference to: 1) a control statement, or 2) a control objective. In the former case, there is always a single top-level statement within a control. Thus, if the entire control is targeted, this statement identifier can be used.

+
+
+ + Finding Target Identifier Reference + + A machine-oriented identifier reference for a specific target qualified by the type. + + + + Objective Status Title + The title for this objective status. + + + Objective Status Description + A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied. + + + + + + + + + Objective Status + A determination of if the objective is satisfied or not within a given system. + + Objective Status State + An indication as to whether the objective is satisfied or not. + + + The objective has been completely satisfied. + The objective has not been completely satisfied, but may be partially satisfied. + + + + + Objective Status Reason + The reason the objective was given it's status. + + + The target system or system component satisfied all the conditions. + The target system or system component did not satisfy all the conditions. + Some other event took place that is not a pass or a fail. + + + +

Reason may contain any value, and should be used to communicate additional information regarding the status.

+
+
+ + + +
+ + +

The implementation-status is used to qualify the status value to indicate the degree to which the control was found to be implemented.

+
+
+ +
+
+ + Finding + Describes an individual finding. + + Finding Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Finding Title + The title for this finding. + + + + Finding Description + A human-readable description of this finding. + + + + + + + + + + +

Used to identify the individual and/or tool generated this finding.

+
+
+ + target + + + Implementation Statement UUID + + A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related. + + + + + + + + + + +
+
+ + Related Observation + Relates the identified element to a set of referenced observations that were used to support its determination. + + Observation Universally Unique Identifier Reference + + A machine-oriented identifier reference to an observation defined in the list of observations. + + + + + + + + Associated Risk + Relates the finding to a set of referenced risks that were used to determine the finding. + + Risk Universally Unique Identifier Reference + + A machine-oriented identifier reference to a risk defined in the list of risks. + + + + + + + + Observation + Describes an individual observation. + + Observation Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Observation Title + The title for this observation. + + + Observation Description + A human-readable description of this assessment observation. + + + + + + + + + Observation Method + Identifies how the observation was made. + + + + An inspection was performed. + An interview was performed. + A manual or automated test was performed. + This is only for use when converting historic content to OSCAL, where the conversion process cannot initially identify the appropriate method(s). + + + + + Observation Type + Identifies the nature of the observation. More than one may be used to further qualify and enable filtering. + + + + A difference between the SSP implementation statement, and actual implementation. + An observation about the status of a the associated control objective. + A mitigating factor was identified. + **(deprecated)** Use 'discovery' instead. + An observation of potential risk in the system's implementation, identified through security scanning tools, penetration testing, and other means. + An observation from a past assessment, which was converted to OSCAL at a later date. + + + + + + +

Used to identify the individual and/or tool that gathered the evidence resulting in the observation identification.

+
+
+ + subject + + +

Identifies who was interviewed, or what was tested or inspected.

+
+
+ + Relevant Evidence + Links this observation to relevant evidence. + + + Relevant Evidence Reference + A resolvable URL reference to relevant evidence. + +

This value may be one of:

+
    +
  1. an absolute URI that points to a network resolvable resource,
  2. +
  3. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  4. +
  5. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
  6. +
+
+
+ + + Relevant Evidence Description + A human-readable description of this evidence. + + + + + + + + + +
+ + Collected Field + Date/time stamp identifying when the finding information was collected. + + + Expires Field + Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios. + + +
+ +
+ + Origin + Identifies the source of the finding, such as a tool, interviewed person, or activity. + + + actor + + + + + + + + + Originating Actor + The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool. + + Actor Type + The kind of actor. + + + A reference to a tool component defined with the assessment assets. + A reference to an assessment-platform defined with the assessment assets. + A reference to a party defined within the document metadata. + + + + + Actor Universally Unique Identifier Reference + + A machine-oriented identifier reference to the tool or person based on the associated type. + + + Actor Role + For a party, this can optionally be used to specify the role the actor was performing. + + + + + + + + + + + + Task Reference + Identifies an individual task for which the containing object is a consequence of. + + Task Universally Unique Identifier Reference + + A machine-oriented identifier reference to a unique task. + + + + + + + + + + + +

Identifies the person or organization responsible for performing a specific role defined by the activity.

+
+
+ + subject + + +

The assessment subjects that the task was performed against.

+
+
+ + Identified Subject + Used to detail assessment subjects that were identified by this task. + + Assessment Subject Placeholder Universally Unique Identifier Reference + + A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task. + + + + subject + + +

The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.

+
+
+
+
+ +
+ + + + +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ + + Threat ID + A pointer, by ID, to an externally-defined threat. + id + + Threat Type Identification System + Specifies the source of the threat information. + + + **deprecated** The value conforms to FedRAMP definitions. This value has been deprecated; use http://fedramp.gov/ns/oscal instead. + The value conforms to FedRAMP definitions. + + + +

This value must be an absolute URI that serves as a naming system identifier.

+
+
+ + + Threat Information Resource Reference + An optional location for the threat data, from which this ID originates. + +

This value may be one of:

+
    +
  1. an absolute URI that points to a network resolvable resource,
  2. +
  3. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  4. +
  5. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
  6. +
+
+
+
+ + Identified Risk + An identified risk. + + Risk Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Risk Title + The title for this risk. + + + Risk Description + A human-readable summary of the identified risk, to include a statement of how the risk impacts the system. + + + + + Risk Statement + An summary of impact for how the risk affects the system. + + + + + + + + + status + + + + +

Used to identify the individual and/or tool that identified this risk.

+
+
+ + + + + + + + + Mitigating Factor + Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP. + + + Mitigating Factor Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + Implementation UUID + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Mitigating Factor Description + A human-readable description of this mitigating factor. + + + + + + + + + subject + + +

Links identifiable elements of the system to this mitigating factor, such as an inventory-item or component.

+
+
+
+
+ + Risk Resolution Deadline + The date/time by which the risk must be resolved. + + + + + + Risk Log + A log of all risk-related tasks taken. + + + Risk Log Entry + Identifies an individual risk response that occurred as part of managing an identified risk. + + + Risk Log Entry Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Title + The title for this risk log entry. + + + Risk Task Description + A human-readable description of what was done regarding the risk. + + + Start + Identifies the start date and time of the event. + + + End + Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time. + + + + + + + + + + + + status-change + +

Identifies a change in risk status made resulting from the task described by this risk log entry. This allows the risk's status history to be captured as a sequence of risk log entries.

+
+
+ + Risk Response Reference + Identifies an individual risk response that this log entry is for. + + + Response Universally Unique Identifier Reference + + A machine-oriented identifier reference to a unique risk response. + + + + + + + + + + + +

This is used to identify the task(s) that this log entry was generated for.

+
+
+ +
+
+ +
+ + + The type of remediation tracking entry. Can be multi-valued. + + + Contacted vendor to determine the status of a pending fix to a known vulnerability. + Information related to the current state of response to this risk. + A significant step in the response plan has been achieved. + An activity was completed that reduces the likelihood or impact of this risk. + An activity was completed that eliminates the likelihood or impact of this risk. + + The risk is no longer applicable to the system. + A deviation request was made to the authorizing official. + A previously submitted deviation request has been modified. + The authorizing official approved the deviation. + The authorizing official rejected the deviation. + + +
+
+
+ + + +
+ + + + The risk has been confirmed to be a false positive. + The risk has been accepted. No further action will be taken. + The risk has been adjusted. + A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority) + + + +
+ + Logged By + Used to indicate who created a log entry in what role. + + Party UUID Reference + + A machine-oriented identifier reference to the party who is making the log entry. + + + Actor Role + A point to the role-id of the role in which the party is making the log entry. + + + + + + + + Risk Status + Describes the status of the associated risk. + + + The risk has been identified. + The identified risk is being investigated. (Open risk) + Remediation activities are underway, but are not yet complete. (Open risk) + A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk) + A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk) + The risk has been resolved. + + + + + Characterization + A collection of descriptive data about the containing object from a specific origin. + + + + + + + + + +

metadata about the specific actor that generated this descriptive data.

+
+
+ + Facet + An individual characteristic that is part of a larger set produced by the same actor. + + + Facet Name + The name of the risk metric within the specified system. + + + Naming System + Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash. + + + **deprecated** The FedRAMP naming system. This has been deprecated; use http://fedramp.gov/ns/oscal instead. + The facet naming system defined by FedRAMP. + The facet naming system defined by OSCAL. + The facet is from an unknown taxonomy. The meaning of the name is tool or organization specific. + The facet naming system defined by the CVE Program. + + The facet naming system for representing Common Vulnerability Scoring System (CVSS) vectors as defined by the the Forum for Incident Response and Security Teams + CVSS Special Interest Group (CVSS-SIG) for CVSS v2. + The facet naming system for representing Common Vulnerability Scoring System (CVSS) vectors as defined by the the Forum for Incident Response and Security Teams + CVSS Special Interest Group (CVSS-SIG) for CVSS v3.0. + The facet naming system for representing Common Vulnerability Scoring System (CVSS) vectors as defined by the the Forum for Incident Response and Security Teams + CVSS Special Interest Group (CVSS-SIG) for CVSS v3.1. + The facet naming system for representing Common Vulnerability Scoring System (CVSS) vectors as defined by the the Forum for Incident Response and Security Teams + CVSS Special Interest Group (CVSS-SIG) for CVSS v4.0. + + + +

This value must be an absolute URI that serves as a naming system identifier.

+
+
+ + Facet Value + Indicates the value of the facet. + + + + + + + + + + + + + Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value has be changed after some adjustments have been made (e.g., to identify residual risk). + + + As first identified. + Indicates that residual risk remains after some adjustments have been made. + + + + General likelihood rating. + General impact rating. + General risk rating. + General severity rating. + + + Likelihood as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. + Impact as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. + Risk as calculated according to FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. + + + An identifier managed by the CVE program (see https://cve.mitre.org/). + + + Base: Access Vector + Base: Access Complexity + Base: Authentication + Base: Confidentiality Impact + Base: Integrity Impact + Base: Availability Impact + Temporal: Exploitability + Temporal: Remediation Level + Temporal: Report Confidence + Environmental: Collateral Damage Potential + Environmental: Target Distribution + Environmental: Confidentiality Requirement + Environmental: Integrity Requirement + Environmental: Availability Requirement + + + Local + Network Adjacent + Network + + + High + Medium + Low + + + Multiple + Single + None + + + None + Partial + Complete + + + Unproven + Proof-of-Concept + Functional + High + Not Defined + + + Official Fix + Temporary Fix + Workaround + Unavailable + Not Defined + + + Unconfirmed + Uncorroborated + Confirmed + Not Defined + + + None + Low (light loss) + Low Medium + Medium High + High (catastrophic loss) + Not Defined + + + None + Low + Medium + High + Not Defined + + + Base: Attack Vector + Base: Attack Complexity + Base: Privileges Required + Base: User Interaction + Base: Scope + Base: Confidentiality Impact + Base: Integrity Impact + Base: Availability Impact + Temporal: Exploit Code Maturity + Temporal: Remediation Level + Temporal: Report Confidence + Environmental: Modified Attack Vector + Environmental: Modified Attack Complexity + Environmental: Modified Privileges Required + Environmental: Modified User Interaction + Environmental: Modified Scope + Environmental: Modified Confidentiality + Environmental: Modified Integrity + Environmental: Modified Availability + Environmental: Confidentiality Requirement Modifier + Environmental: Integrity Requirement Modifier + Environmental: Availability Requirement Modifier + + + Network + Adjacent + Local + Physical + + + High + Low + + + None + Low + High + + + None + Required + + + Unchanged + Changed + + + Not Defined + Unproven + Proof-of-Concept + Functional + High + + + Not Defined + Official Fix + Temporary Fix + Workaround + Unavailable + + + Not Defined + Unknown + Reasonable + Confirmed + + + Not Defined + Low + Medium + High + + + Not Defined + Network + Adjacent + Local + Physical + + + Not Defined + High + Low + + + Not Defined + None + Low + High + + + Not Defined + None + Required + + + Not Defined + Unchanged + Changed + + + Base: Attack Vector + Base: Attack Complexity + Base: Attack Requirements + Base: Privileges Required + Base: User Interaction + Base: Vulnerable System Confidentiality Impact + Base: Vulnerable System Integrity Impact + Base: Vulnerable System Availability Impact + Base: Subsequent System Confidentiality Impact + Base: Vulnerable System Integrity Impact + Base: Vulnerable System Availability Impact + Supplemental: Safety + Supplemental: Automatable + Supplemental: Recovery + Supplemental: Value Density + Supplemental: Vulnerability Response Effort + Supplemental: Provider Urgency + Environmental: Modified Attack Vector + Environmental: Modified Attack Complexity + Environmental: Modified Attack Requirements + Environmental: Modified Privileges Required + Environmental: Modified User Interaction + Environmental: Modified Vulnerable System Confidentiality + Environmental: Modified Vulnerable System Integrity + Environmental: Modified Vulnerable System Availability + Environmental: Subsequent Vulnerable System Confidentiality + Environmental: Subsequent Vulnerable System Integrity + Environmental: Subsequent Vulnerable System Availability + Environmental: Confidentiality Requirements + Environmental: Integrity Requirements + Environmental: Availability Requirements + Threat: Exploit Maturity + + + Attack Vector Values + Network + Adjacent + Local + Physical + + + Attack Complexity Values + High + Low + + + Attack Requirements Values + None + Present + + + Privileges Required, Confidentiality, Integrity, and Availability Values + None + Low + High + + + User Interaction Values + None + Passive + Active + + + Safety Values + Not Defined + Negligible + Present + + + Automatable Values + Not Defined + No + Yes + + + Recovery Values + Not Defined + Automatic + User + Irrecoverable + + + Value Density Values + Not Defined + Automatic + User + Irrecoverable + + + Vulnerability Response Effort Values + Not Defined + Low + Moderate + High + + + Provider Urgency Values + Not Defined + Clear + Green + Amber + Red + + + Modified Attack Vector Values + Not Defined + Network + Adjacent + Local + Physical + + + Modified Attack Complexity Values + Not Defined + High + Low + + + Modified Attack Requirements Values + Not Defined + None + Present + + + Modified Privileges Required, and Vulnerable System Confidentiality, Integrity, and Availability Values + Not Defined + None + Low + High + + + Modified User Interaction Values + Not Defined + None + Passive + Active + + + Modified Subsequent System Confidentiality Values + Not Defined + Negligible + Low + High + + + Modified Safety-Related Subsequent System Integrity and Availability Values + Not Defined + Negligible + Low + High + Safety + + + Vulnerability Response Effort Values + Not Defined + Low + Medium + High + + + Vulnerability Response Effort Values + Not Defined + Attacked + PoC + Unreported + + +
+
+
+ + Risk Response + Describes either recommended or an actual plan for addressing the risk. + + Remediation Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + Remediation Intent + Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner. + + + Recommended remediation. + The actions intended to resolve the risk. + This remediation activities were performed to address the risk. + + + + + + Response Title + The title for this response activity. + + + Response Description + A human-readable description of this response plan. + + + + + + + + + + +

Used to identify the individual and/or tool that generated this recommended or planned response.

+
+
+ + + Required Asset + Identifies an asset required to achieve remediation. + + + Required Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + subject + + +

Identifies an asset associated with this requirement, such as a party, system component, or inventory-item.

+
+
+ + Title for Required Asset + The title for this required asset. + + + Description of Required Asset + A human-readable description of this required asset. + + + + + + + + +
+
+ + + + +
+ + + Risk Response Type + + + The risk will be eliminated. + The risk will be reduced. + The risk will be transferred to another organization or entity. + The risk will continue to exist without further efforts to address it. (Sometimes referred to as "Operationally required") + The risk will be partially transferred to another organization or entity. + Plans will be made to address the risk impact if the risk occurs. (This is a form of mitigation.) + No response, such as when the identified risk is found to be a false positive. + + +
+ + + Objective ID + Points to an assessment objective. + + + + Assessment Part + A partition of an assessment plan or results or a child of another part. + part + + + Part Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + Part Name + A textual label that uniquely identifies the part's semantic type. + + + + An assessment asset. + An assessment method. + Describes a set of control objectives. + + + + + + Part Namespace + A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name. + +

This value must be an absolute URI that serves as a naming system identifier.

+

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

+
+
+ + Part Class + A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns. + +

A class can be used in validation rules to express extra constraints over named items of a specific class value.

+

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

+
+
+ + + Part Title + A name given to the part, which may be used by a tool for display and navigation. + + + + + + + Part Text + Permits multiple paragraphs, lists, tables etc. + + + + + + + + + + + + The assessment method to use. This typically appears on parts with the name "objective". + + + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). + The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. + + + +

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

+

A part can be assigned an optional id, which allows for internal and external references to the textual concept contained within a part. A id provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a catalog. For example, an id can be used to reference or to make modifications to a control statement in a profile.

+

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

+

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns + http://fedramp.gov/ns/oscal, while DoD might use the ns + https://defense.gov for any organization specific name.

+

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

+
+
+
diff --git a/release-metaschemas/oscal_assessment-plan_metaschema_RESOLVED.xml b/release-metaschemas/oscal_assessment-plan_metaschema_RESOLVED.xml new file mode 100644 index 000000000..960e96a7b --- /dev/null +++ b/release-metaschemas/oscal_assessment-plan_metaschema_RESOLVED.xml @@ -0,0 +1,135 @@ + + + OSCAL Assessment Plan Model + 1.2.1 + oscal-ap + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

The OSCAL assessment plan format is used to describe the information typically provided by an assessor during the preparation for an assessment.

+

The root of the OSCAL assessment plan format is assessment-plan. +

+
+ + + + + + Security Assessment Plan (SAP) + An assessment plan, such as those provided by a FedRAMP assessor. + assessment-plan + + Assessment Plan Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment plan in this or other OSCAL instances. The locally defined UUID of the assessment plan can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + + +

Used by the SAP to import information about the system being assessed.

+
+
+ + + Local Definitions + Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP. + + + component + + +

Used to add any components, not defined via the System Security Plan (AR->AP->SSP)

+
+
+ + + +

Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)

+
+
+ + user + + +

Used to add any users, not defined via the System Security Plan (AR->AP->SSP)

+
+
+ + + objectives-and-methods + + + + + + + +
+ + + + +

Since multiple component entries can be provided, each component must have a unique uuid.

+
+
+ + + +

A given uuid must be assigned only once to a user.

+
+
+
+
+ + Assessment Plan Terms and Conditions + Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition. + + + + + + + + Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment. + Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure. + Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment. + Defines any assessment activities which the system owner or authorizing official explicitly prohibits from being performed as part of the assessment. + Defines conditions related to the delivery of the assessment results, such as when to deliver, how, and to whom. + Defines any supposition made by the assessor. Has child 'item' parts for each assumption. + An explanation of practices, procedures, and rules used in the course of the assessment. + + + + + + + + + + + + + + + + + +
+ + +
+
diff --git a/release-metaschemas/oscal_assessment-results_metaschema_RESOLVED.xml b/release-metaschemas/oscal_assessment-results_metaschema_RESOLVED.xml new file mode 100644 index 000000000..e68b7a776 --- /dev/null +++ b/release-metaschemas/oscal_assessment-results_metaschema_RESOLVED.xml @@ -0,0 +1,296 @@ + + + + OSCAL Assessment Results Model + 1.2.1 + oscal-ar + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

The OSCAL assessment results format is used to describe the information typically provided by an assessor following an assessment.

+

The root of the OSCAL assessment results format is assessment-results. +

+
+ + + + + + Security Assessment Results (SAR) + Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report. + assessment-results + + Assessment Results Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment results instance in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + + +

Used by the SAR to import information about the original plan for assessing the system.

+
+
+ + + Local Definitions + Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP. + + + objectives-and-methods + + + + + activity + + + + + + + + result + + + + +
+
+ + + Assessment Result + Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition. + + Results Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this set of results in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Results Title + The title for this set of results. + + + + Results Description + A human-readable description of this set of test results. + + + start field + Date/time stamp identifying the start of the evidence collection reflected in these results. + + + end field + Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate. + + + + + + + + + + Local Definitions + Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP. + + + component + + +

Used to add any components, not defined via the System Security Plan (AR->AP->SSP)

+
+
+ + + +

Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)

+
+
+ + user + + +

Used to add any users, not defined via the System Security Plan (AR->AP->SSP)

+
+
+ + + +

This needs to be defined in the results if an assessment platform used is different from the one described in the assessment plan. Else the platform(s) defined in the plan may be referenced within the results.

+
+
+ + assessment-task + + +
+ + + + +

Since multiple component entries can be provided, each component must have a unique uuid.

+
+
+ + + +

A given uuid must be assigned only once to a user.

+
+
+
+
+ + + +

The Assessment Results control-selection ignores any control selection in the Assessment Plan and re-selects controls from the baseline identified by the SSP.

+

The Assessment Results control-objective-selection ignores any control objective selection in the Assessment Plan and re-selects control objectives from the baseline identified by the SSP.

+

Any additional control objectives defined in the Assessment Plan local-definitions do not need to be re-defined in the Assessment Results local-definitions; however, if they were explicitly referenced with an Assessment Plan control-objective-selection, they need to be selected again in the Assessment Results control-objective-selection.

+
+
+ + Attestation Statements + A set of textual statements, typically written by the assessor. + + + + + + + + part + + + + + + + +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ + + Assessment Log + A log of all assessment-related actions taken. + + + Assessment Log Entry + + Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results. + + + Assessment Log Entry Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Action Title + The title for this event. + + + + Action Description + A human-readable description of this event. + + + Start + Identifies the start date and time of an event. + + + End + Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+ + + + Import Assessment Plan + Used by assessment-results to import information about the original plan for assessing the system. + + Assessment Plan Reference + A resolvable URL reference to the assessment plan governing the assessment activities. + +

This value may be one of:

+
    +
  1. an absolute URI that points to a network resolvable resource,
  2. +
  3. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  4. +
  5. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
  6. +
+
+
+ + + +
+
diff --git a/release-metaschemas/oscal_catalog_metaschema_RESOLVED.xml b/release-metaschemas/oscal_catalog_metaschema_RESOLVED.xml new file mode 100644 index 000000000..c21cc8fcf --- /dev/null +++ b/release-metaschemas/oscal_catalog_metaschema_RESOLVED.xml @@ -0,0 +1,395 @@ + + + + + + + OSCAL Control Catalog Model + 1.2.1 + oscal-catalog + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

The OSCAL Control Catalog format can be used to describe a collection of security controls and related control enhancements, along with contextualizing documentation and metadata. The root of the Control Catalog format is catalog.

+
+ + + + + Catalog + A structured, organized collection of control information. + catalog + + Catalog Universally Unique Identifier + Provides a globally unique means to identify a given catalog instance. + + + + + + + + + + + + + + + + + + + +

Back matter including references and resources.

+
+
+
+ + + The tool used to produce a resolved profile. + The document-level uuid of the source profile from which the catalog was produced by profile resolution. + + + The profile from which the catalog was produced by profile resolution. + The document-level uuid of the profile from which the catalog was produced by profile resolution. + + + + + + + + + + + + + + + + + + + + + +

Catalogs may use one or more group objects to subdivide the control contents of a catalog.

+
+ + A small catalog with a single control. + + A Miniature Catalog + + A Single Control + + + + +
+ + Control Group + A group of controls, or of groups of controls. + + + Group Identifier + + Identifies the group for the purpose of cross-linking within the defining instance or from other instances that reference the catalog. + + + + + + + + Group Class + A textual label that provides a sub-type or characterization of the group. + +

A class can be used in validation rules to express extra constraints over named items of a specific class value.

+

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

+
+
+ + + Group Title + A name given to the group, which may be used by a tool for display and navigation. + + + + + + + + + + + + + + + + + + + + + + + + + + A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases. + An alternative identifier, whose value is easily sortable among other such values in the document. + An alternate or aliased identifier for the parent context. + + + An introduction to a control or a group of controls. + Information providing directions for a control or a group of controls. + + + +

Catalogs can use the catalog group construct to organize related controls into a single grouping, such as a family of controls or other logical organizational structure.

+

A group may have its own properties, statements, parameters, and references, which are inherited by all controls of that are a member of the group.

+
+ + + My Group + + + Control + + + +
+ + Control + A structured object representing a requirement or guideline, which when + implemented will reduce an aspect of risk related to an information system and its + information. + + + Control Identifier + + Identifies a control such that it can be referenced in the defining + catalog and other OSCAL instances (e.g., profiles). + + + + + + + + Control Class + A textual label that provides a sub-type or characterization of the + control. + +

A class can be used in validation rules to express extra + constraints over named items of a specific class + value.

+

A class can also be used in an OSCAL profile as a means to + target an alteration to control content.

+
+
+ + + Control Title + A name given to the control, which may be used by a tool for + display and navigation. + + + + + + + + + + + + + + + + + + + + + + + + + + + + A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases. + An alternative identifier, whose value is easily sortable among other such values in the document. + An alternate or aliased identifier for the parent context. + The status of a control. For example, a + value of 'withdrawn' can indicate that the control has + been withdrawn and should no longer be used. + + + The control is no longer used. + **(deprecated)*** Use 'withdrawn' + instead. + + + The link cites an external resource related to this + control. + The link identifies another control with bearing to + this control. + The link identifies another control that must be + present if this control is present. + The link identifies other control content + where this control content is now addressed. + The containing control definition was moved to the + referenced control. + + + + + + + An introduction to a control or a group of + controls. + A set of implementation requirements or recommendations. + Additional information to consider when selecting, + implementing, assessing, and monitoring a control. + An example of an implemented requirement or control statement. + **(deprecated)** Use + 'assessment-method' instead. + The part describes a method-based assessment + over a set of assessment objects. + + + An individual item within a control statement. + +

Nested statement parts are "item" parts.

+
+
+ + **(deprecated)** Use + 'assessment-objective' instead. + The part describes a set of assessment + objectives. + +

Objectives can be nested.

+
+
+ + **(deprecated)** Use + 'assessment-objects' instead. + Provides a listing of assessment + objects. + +

Assessment objects appear on assessment methods.

+
+
+ + **(deprecated)** Use 'method' in the 'http://csrc.nist.gov/ns/rmf' namespace. The assessment method to use. This typically appears on parts with the name "assessment-method". + + + The assessment method to use. This typically appears on + parts with the name "assessment-method". + + + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). + The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. + +
+ +

Each security or privacy control within the catalog is defined by a distinct control instance. Controls may be as complex or as simple as a catalog defines them. They may be decomposed or further specified into child control objects, for example to represent control enhancements or specific breakouts of control functionality, to be maintained as discrete requirements. Controls may also contain structured parts (using part) and they may be grouped together in families or classes with group.

+

Control structures in OSCAL will also exhibit regularities and rules that are not codified in OSCAL but in its applications or domains of application. For example, for catalogs describing controls as defined by NIST SP 800-53, a control must have a part with the name "statement", which represents the textual narrative of the control. This "statement" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text. This organization supports addressability of this data content as long as, and only insofar as, it is consistently implemented across the control set. As given with these model definitions, constraints defined and assigned here can aid in ensuring this regularity; but other such constraints and other useful patterns of use remain to be discovered and described.

+
+ + + Control 1 + + +
+
diff --git a/release-metaschemas/oscal_complete_metaschema_RESOLVED.xml b/release-metaschemas/oscal_complete_metaschema_RESOLVED.xml new file mode 100644 index 000000000..3af84fc34 --- /dev/null +++ b/release-metaschemas/oscal_complete_metaschema_RESOLVED.xml @@ -0,0 +1,22 @@ + + + + + + OSCAL Unified Model of Models + 1.2.1 + oscal-complete + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal/1.0 + +

This format represents a combination of all of the OSCAL models.

+
+ + + + + + + + +
diff --git a/release-metaschemas/oscal_component_metaschema_RESOLVED.xml b/release-metaschemas/oscal_component_metaschema_RESOLVED.xml new file mode 100644 index 000000000..19409c743 --- /dev/null +++ b/release-metaschemas/oscal_component_metaschema_RESOLVED.xml @@ -0,0 +1,574 @@ + + + + OSCAL Component Definition Model + 1.2.1 + oscal-component-definition + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

The OSCAL Component Definition Model can be used to describe the implementation of controls in a component or a set of components grouped as a capability. A component can be either a technical component, or a documentary component.

+

A technical component is a component that is implemented in hardware (physical or virtual) or software. Suppliers may document components in an OSCAL component definition that describes the implementation of controls in their hardware and software.

+

A documentary component is a component implemented for a documented process, procedure, or policy. Suppliers may document components in an OSCAL component definition that describes the implementation of controls in their process, procedure, or policy.

+

The information provided by a technical or documentary component can be used by component consumers to provide starting narratives for documenting control implementations in an OSCAL SSP.

+

The root of the OSCAL Implementation Layer Component Definition model is component-definition.

+
+ + + Component Definition + A collection of component descriptions, which may optionally be grouped by capability. + component-definition + + Component Definition Universally Unique Identifier + + Provides a globally unique means to identify a given component definition instance. + + + + + + + + + + + + + component + + + + + + + + + + + +

Since multiple component entries can be provided, each component must have a unique uuid.

+
+
+ + + +

A given component must not be referenced more than once within the same capability.

+
+
+
+
+ + Import Component Definition + Loads a component definition from another resource. + + Hyperlink Reference + A link to a resource that defines a set of components and/or capabilities to import into this collection. + +

This value may be one of:

+
    +
  1. an absolute URI that points to a network resolvable resource,
  2. +
  3. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  4. +
  5. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
  6. +
+
+
+ + + + +
+ + Component + A defined component that can be part of an implemented system. + + Component Identifier + + Provides a globally unique means to identify a given component. + + + + + + + + type + + + + Component Title + A human readable name for the component. + + + Component Description + A description of the component, including information about its function. + + + Purpose + A summary of the technological or business purpose of the component. + + + + + + + + + + + + + +

Used for service components to define the protocols supported by the service.

+
+
+ + + + + +
+ + + + + + + + The version of the component. + The specific patch level of the component. + The model of the component. + + The date the component was released, such as a software release date or policy publication date. + Used with component-type='validation' to provide a well-known name for a kind of validation. + Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component. + + Simple indication of the asset's function, such as Router, Storage Array, DNS Server. + An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item. + An asset tag assigned by the organization responsible for maintaining the logical or tangible item. + Identifies whether the asset is publicly accessible (yes/no) + Identifies whether the asset is virtualized (yes/no) + Virtual LAN identifier of the asset. + The network identifier of the asset. + A human-readable label for the parent context. + An alternative identifier, whose value is easily sortable among other such values in the document. + The name of the baseline configuration for the asset. + Can the asset be check with an authenticated scan? (yes/no) + The function provided by the asset for the system. + **(deprecated)** Use 'model' instead. + The model of system used by the asset. + The name of the operating system used by the asset. + The version of the operating system used by the asset. + The software product name used by the asset. + The software product version used by the asset. + The software product patch level used by the asset. + + + + + + + + A reference to another component that this component has a dependency on. + + A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component + A pointer to a validation record (e.g., FIPS 140-2) or other compliance information. + + A reference to the baseline template used to configure the asset. + This service is used by the referenced component identifier. + A link to the system security plan of the external system. + This component uses the network provided by the identified network component. + + + + + + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + + Members of the security operations center (SOC). + + Members of the network operations center (NOC). + Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions. + Responsible for providing information and support to users. + + Responsible for the configuration management processes governing changes to the asset. + Responsible for the creation and maintenance of a component. + Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller). + + + + + System software that manages computer hardware, software resources, and provides common services for computer programs. + An electronic collection of data, or information, that is specially organized for rapid search and retrieval. + A system that delivers content or services to end users over the Internet or an intranet. + A system that resolves domain names to internet protocol (IP) addresses. + A computer system that sends and receives electronic mail messages. + A system that stores, organizes and provides access to directory information in order to unify network resources. + A private branch exchange (PBX) provides a a private telephone switchboard. + A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. + A physical or virtual networking device that forwards data packets between computer networks. + A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device. + A consolidated, block-level data storage capability. + A physical or virtual machine that centralizes hardware, software, or services for a specific purpose. + + + + + + + The component allows an authenticated scan. + The component does not allow an authenticated scan. + + + The component is virtualized. + The component is not virtualized. + + + The component is publicly accessible. + The component is not publicly accessible. + + + The component is implemented within the system boundary. + The component is implemented outside the system boundary. + + + + + + + + + + + + + + + + If a "software" component-type, the identifier, such as a SWID tag, for the software component. + + + + + + This service is provided by the referenced component identifier. + + This service is used by the referenced component identifier. + + + + + + + + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+ +

Components may be products, services, APIs, policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

+

The type indicates which of these component types is represented.

+

A group of components may be aggregated into a capability. For example, an account management capability that consists of an account management process, and a Lightweight Directory Access Protocol (LDAP) software implementation.

+

Capabilities are expressed by combining one or more components.

+
+
+ + Component Type + A category describing the purpose of the component. + + + A connection to something outside this system. + Any software, operating system, or firmware. + A physical device. + A service that may provide APIs. + An enforceable policy. + A tangible asset used to provide physical protections or countermeasures. + + A list of steps or actions to take to achieve some end result. + An applicable plan. + Any guideline or recommendation. + Any organizational or industry standard. + An external assessment performed on some other component, that has been validated by a third-party. + + + + + Capability + A grouping of other components and/or capabilities. + + Capability Identifier + + Provides a globally unique means to identify a given capability. + + + + + + + + Capability Name + The capability's human-readable name. + + + + Capability Description + A summary of the capability. + + + + + + + + + + + + + + + + + + + +

A given component must not be referenced more than once within the same capability.

+
+
+ +
+
+ + Incorporates Component + + The collection of components comprising this capability. + + Component Reference + + A machine-oriented identifier reference to a component. + + + + Component Description + A description of the component, including information about its function. + + + + + Control Implementation Set + Defines how the component or capability supports a set of controls. + + Control Implementation Set Identifier + + Provides a means to identify a set of control implementations that are supported by a given component or capability. + + + + + + + + Source Resource Reference + A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition. + +

This value may be one of:

+
    +
  1. an absolute URI that points to a network resolvable resource,
  2. +
  3. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  4. +
  5. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
  6. +
+
+
+ + + Control Implementation Description + A description of how the specified set of controls are implemented for the containing component or capability. + + + + + + + + + + + + + + + + + + +

Since multiple set-parameter entries can be provided, each parameter must be set only once.

+
+
+
+ +

Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

+
+
+ + Control Implementation + Describes how the containing component or capability implements an individual control. + + Control Implementation Identifier + + Provides a globally unique means to identify a given control implementation by a component. + + + + + + + + + + Control Implementation Description + A suggestion from the supplier (e.g., component vendor or author) for how the specified control may be implemented if the containing component or capability is instantiated in a system security plan. + + + + + + + + + + + + + + + + + + + + + + +

Since multiple set-parameter entries can be provided, each parameter must be set only once.

+
+
+ + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+ + + +

Since statement entries can be referenced using the statement's statement-id, each statement must be referenced only once.

+
+
+
+ +

Implemented requirements within a component or capability in a component definition provide a means for component suppliers to suggest possible control implementation details, which may be used by a different party (e.g., component consumers) when authoring a system security plan. Thus, these requirements defined in a component definition are only a suggestion of how to implement, which may be adopted wholesale, changed, or ignored by a person defining an information system implementation.

+

Use of set-parameter in this context, sets the parameter for the referenced control and any associated statements.

+
+
+ + Control Statement Implementation + Identifies which statements within a control are addressed. + + +

A reference to the specific implemented statement associated with a control.

+
+
+ + Control Statement Reference Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). + + + + Statement Implementation Description + A summary of how the containing control statement is implemented by the component or capability. + + + + + + + + + + + + + + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+
diff --git a/release-metaschemas/oscal_control-common_metaschema_RESOLVED.xml b/release-metaschemas/oscal_control-common_metaschema_RESOLVED.xml new file mode 100644 index 000000000..14f57920f --- /dev/null +++ b/release-metaschemas/oscal_control-common_metaschema_RESOLVED.xml @@ -0,0 +1,344 @@ + + + + + + + OSCAL Control Catalog Format -- Common Models + 1.2.1 + oscal-control-common + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + + + + + + Part + An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part. + + + Part Identifier + + A unique identifier for the part. + + + + + + +

While a part is not required to have an id, it is often desirable for an identifier to be provided, which allows the part to be referenced elsewhere in OSCAL document instances. For this reason, it is RECOMMENDED to provide a part identifier.

+
+
+ + Part Name + A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns. + + + Part Namespace + An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name. + +

This value must be an absolute URI that serves as a naming system identifier.

+

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

+
+
+ + Part Class + An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs. + +

One use of this flag is to distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns (since even within a given namespace it can be useful to overload a name).

+

A class can be used in validation rules to express extra constraints over named items of a specific class value.

+

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

+
+
+ + + Part Title + An optional name given to the part, which may be used by a tool for display and navigation. + + + + + + Part Text + Permits multiple paragraphs, lists, tables etc. + + + + + + + + + + + + A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases. + An alternative identifier, whose value is easily sortable among other such values in the document. + An alternate or aliased identifier for the parent context. + + + +

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

+

A part can be assigned an optional id, which allows references to this part from within a catalog, or within an instance of another OSCAL model that has a need to reference the part. Examples of where part referencing is used in OSCAL include:

+
    +
  • Referencing a part by id to tailor (make modifications to) a control statement in a profile.
  • +
  • Referencing a control statement represented by a part in a system security plan implemented-requirement where a statement-level response is desired.
  • +
+

Use of part and prop provides for a wide degree of extensibility within the OSCAL catalog model. The optional ns provides a means to qualify a part's name, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a ns value that represents the organization, making a given namespace qualified name unique to that organization. This allows the combination of ns and name to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no ns is provided, the name is expected to be in the "OSCAL" namespace.

+

To ensure a ns is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the ns + http://fedramp.gov/ns/oscal, while DoD might use the ns + https://defense.gov for any organization specific name.

+

Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.

+
+ + Multiple Parts with Different Organization-Specific Names. + + A requirement specific to FedRAMP stakeholders. + A requirement specific to the Department of Defense stakeholders. + + +
+ + + + + + Parameter + Parameters provide a mechanism for the dynamic assignment of value(s) in a control. + param + + + Parameter Identifier + A unique identifier for the parameter. + + + + + + + + + Parameter Class + A textual label that provides a characterization of the type, + purpose, use or scope of the parameter. + +

A class can be used in validation rules to express extra constraints over named items of a specific class value.

+
+
+ + Depends on + + (deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used. + + + + + + + + + + + Parameter Label + A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned. + +

The label value is intended use when rendering a parameter in generated documentation or a user interface when a parameter is referenced. Note that labels are not required to be distinctive, which means that parameters within the same control may have the same label.

+
+
+ + Parameter Usage Description + Describes the purpose and use of a + parameter. + + + constraint + + + + guideline + + + + + value + + +

A set of values provided in a catalog can be redefined in OSCAL's profile or system-security-plan models.

+
+
+ + select + +

The OSCAL parameter value construct can be used to prescribe a specific parameter value in a catalog or profile. In cases where a prescriptive value is not possible in a catalog or profile, it may be possible to constrain the set of possible values to a few options. Use of select in a parameter instead of value is a way of defining value options that may be set.

+

A set of allowed parameter values expressed as a set of options which may be selected. These options constrain the permissible values that may be selected for the containing parameter. When the value assignment is made, such as in an OSCAL profile or system security plan, the actual selected value can be examined to determine if it matches one of the permissible choices for the parameter value.

+

When the value of how-many is set to "one-or-more", multiple values may be assigned reflecting more than one choice.

+
+
+
+ +
+ + + A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases. + An alternative identifier, whose value is easily sortable among other such values in the document. + An alternate or aliased identifier for the parent context. + An alternate to the value provided by the parameter's label. This will typically be qualified by a class. + + + The parent parameter provides an + aggregation of two or more other parameters, each described + by this property. + + + depends-on is deprecated + + + +

In a catalog, a parameter is typically used as a placeholder for the future assignment of a parameter value, although the OSCAL model allows for the direct assignment of a value if desired by the control author. The value may be optionally used to specify one or more values. If no value is provided, then it is expected that the value will be provided at the Profile or Implementation layer.

+

A parameter can include a variety of metadata options that support the future solicitation of one or more values. A label provides a textual placeholder that can be used in a tool to solicit parameter value input, or to display in catalog documentation. The desc provides a short description of what the parameter is used for, which can be used in tooling to help a user understand how to use the parameter. A constraint can be used to provide criteria for the allowed values. A guideline provides a recommendation for the use of a parameter.

+
+
+ + Constraint + A formal or informal expression of a constraint or test. + + + Constraint Description + A textual summary of the constraint to be applied. + + + Constraint Test + A test expression which is expected to be evaluated by a tool. + + + + Constraint test + A formal (executable) expression of a + constraint. + + + + + + + + Guideline + A prose statement that provides a recommendation for the use of a parameter. + + + Guideline Text + Prose permits multiple paragraphs, lists, tables etc. + + + + + Parameter Value + A parameter value or set of values. + + + Selection + Presenting a choice among alternatives. + + Parameter Cardinality + Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted. + + + Only one value is permitted. + One or more values are permitted. + + + + + + Choice + A value selection among several such + options. + value + + + + +

A set of parameter value choices, that may be picked from to set the parameter value.

+
+
+ + + + + Control Identifier Reference + + A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). + + + + + + Include All + Include all controls from the imported catalog or profile resources. + +

This element provides an alternative to calling controls individually from a catalog.

+
+
+ + + + + Pattern + A glob expression matching the IDs of one or more controls to be selected. + + + Include Contained Controls with Control + When a control is included, whether its child (dependent) controls are also included. + + + Include child controls with an included control. + When importing a control, only include child controls that are also explicitly called. + + + + + Match Controls by Identifier + Selecting a control by its ID given as a literal. + + + Match Controls by Pattern + Selecting a set of controls by matching their IDs with a wildcard pattern. + + + + + + + + Select Control + Select a control or controls from an imported control set. + + + + + + + + + + +

If with-child-controls is yes on the call to a control, no sibling callelements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

+
+
+
diff --git a/release-metaschemas/oscal_implementation-common_metaschema_RESOLVED.xml b/release-metaschemas/oscal_implementation-common_metaschema_RESOLVED.xml new file mode 100644 index 000000000..b85b61475 --- /dev/null +++ b/release-metaschemas/oscal_implementation-common_metaschema_RESOLVED.xml @@ -0,0 +1,900 @@ + + + + OSCAL Implementation Common Information + 1.2.1 + oscal-implementation-common + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + + + + + + + Component + A defined component that can be part of an implemented system. + + Component Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + type + + + + Component Title + A human readable name for the system component. + + + Component Description + A description of the component, including information about its function. + + + Purpose + A summary of the technological or business purpose of the component. + + + + + + + + + Status + Describes the operational status of the system component. + + State + The operational status. + + + The component is being designed, developed, or implemented. + The component is currently operational and is available for use in the system. + The component is no longer operational. + Some other state. + + + + + + + + + + + + + +

Used for service components to define the protocols supported by the service.

+
+
+ +
+ + + + Relative placement of component ('internal' or 'external') to the system. + UUID of the related leveraged-authorization assembly in this SSP. + UUID of the component as it was assigned in the leveraged system's SSP. + + + + + + Simple indication of the asset's function, such as Router, Storage Array, DNS Server. + An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item. + An asset tag assigned by the organization responsible for maintaining the logical or tangible item. + Identifies whether the asset is publicly accessible (yes/no) + Identifies whether the asset is virtualized (yes/no) + Virtual LAN identifier of the asset. + The network identifier of the asset. + A human-readable label for the parent context. + An alternative identifier, whose value is easily sortable among other such values in the document. + The name of the baseline configuration for the asset. + Can the asset be check with an authenticated scan? (yes/no) + The function provided by the asset for the system. + **(deprecated)** Use 'model' instead. + The model of system used by the asset. + The name of the operating system used by the asset. + The version of the operating system used by the asset. + The software product name used by the asset. + The software product version used by the asset. + The software product patch level used by the asset. + + The version of the component. + The specific patch level of the component. + The model of the component. + + The date the component was released, such as a software release date or policy publication date. + Used with component-type='validation' to provide a well-known name for a kind of validation. + Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component. + + + + + + + A reference to another component that this component has a dependency on. + + A reference to another component of component-type=validation, that is a validation (e.g., FIPS 140-2) for this component + A pointer to a validation record (e.g., FIPS 140-2) or other compliance information. + + A reference to the baseline template used to configure the asset. + This service is used by the referenced component identifier. + A link to the system security plan of the external system. + This component uses the network provided by the identified network component. + The hyperlink identifies a URI pointing to the component in a component-definition that originally defined the component. + + + + + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + + Members of the security operations center (SOC). + + Members of the network operations center (NOC). + Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions. + Responsible for providing information and support to users. + + Responsible for the configuration management processes governing changes to the asset. + Responsible for the creation and maintenance of a component. + Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller). + + + + + System software that manages computer hardware, software resources, and provides common services for computer programs. + An electronic collection of data, or information, that is specially organized for rapid search and retrieval. + A system that delivers content or services to end users over the Internet or an intranet. + A system that resolves domain names to internet protocol (IP) addresses. + A computer system that sends and receives electronic mail messages. + A system that stores, organizes and provides access to directory information in order to unify network resources. + A private branch exchange (PBX) provides a a private telephone switchboard. + A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. + A physical or virtual networking device that forwards data packets between computer networks. + A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device. + A consolidated, block-level data storage capability. + A physical or virtual machine that centralizes hardware, software, or services for a specific purpose. + + + The component allows an authenticated scan. + The component does not allow an authenticated scan. + + + The component is publicly accessible. + The component is not publicly accessible. + + + The component is virtualized. + The component is not virtualized. + + + The component is implemented within the system boundary. + The component is implemented outside the system boundary. + + + + + + + + + + + The name of the company or organization + + + + + + + + A link to an online information provided by the authorizing body. + + + + + + If a "software" component-type, the identifier, such as a SWID tag, for the software component. + + + + + + This service is provided by the referenced component identifier. + + This service is used by the referenced component identifier. + + + + + + Title of the Interconnection Security Agreement (ISA). + Date of the Interconnection Security Agreement (ISA). + The name of the remote interconnected system. + The Internet Protocol Version 4 address is for an interconnection, service, or software component. + The Internet Protocol Version 6 address is for an interconnection, service, or software component. + The direction categorizes the network connectivity of an interconnection, service, or software component. + A Uniform Resource Identifier (URI) is for an interconnection, service, or software component. + The full-qualified domain name (FQDN) of the asset. + + + The Internet Protocol Version 4 address is for an interconnection, service, or software component. + The Internet Protocol Version 6 address is for an interconnection, service, or software component. + The direction categorizes the network connectivity of an interconnection, service, or software component. + A Uniform Resource Identifier (URI) is for an interconnection, service, or software component. + The full-qualified domain name (FQDN) of the asset. + + + The identified IP address is for this system. + The identified IP address is for the remote system to which this system is connected. + + + + A link to the system interconnection agreement. + + + Interconnection Security Agreement (ISA) point of contact (POC) for this system. + Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system. + Interconnection Security Agreement (ISA) authorizing official for this system. + Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system. + + + + + + + Data from the remote system flows into this system. + Data from this system flows to the remote system. + + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+ +

Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

+

The type indicates which of these component types is represented.

+ +

When defining a service component where are relationship to other components is known, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifier(s) that provide and use the service respectively.

+
+
+ + Component Type + A category describing the purpose of the component. + + + The system as a whole. + An external system, which may be a leveraged system or the other side of an interconnection. + A connection to something outside this system. + Any software, operating system, or firmware. + A physical device. + A service that may provide APIs. + An enforceable policy. + A tangible asset used to provide physical protections or countermeasures. + + A list of steps or actions to take to achieve some end result. + An applicable plan. + Any guideline or recommendation. + Any organizational or industry standard. + An external assessment performed on some other component, that has been validated by a third-party. + A physical or virtual network. + + + + + Service Protocol Information + Information about the protocol used to provide a service. + + Service Protocol Information Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + Protocol Name + The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. + + +

The short name of the protocol (e.g., https).

+
+
+ + + Protocol Title + A human readable name for the protocol (e.g., Transport Layer Security). + + + + + + + + It is a best practice to provide a UUID. + + +
+ + Port Range + Where applicable this is the transport layer protocol port range an IPv4-based or IPv6-based service uses. + + Start + Indicates the starting port number in a port range for a transport layer protocol + +

Should be a number within a permitted range

+
+
+ + End + Indicates the ending port number in a port range for a transport layer protocol + +

Should be a number within a permitted range

+
+
+ + Transport + Indicates the transport type. + + + Transmission Control Protocol + User Datagram Protocol + + + + + + + + + + A port range should have a start port given. + + + A port range should have an end port given. To define a single port, the start and end should be the same value. + + + The port range start should not be after its end. + + + +

To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for non-contiguous ranges.

+
+ + Example of protocol and port-range encoding. + + + + + + +
+ + Implementation Status + Indicates the degree to which the a given control is implemented. + + Implementation State + Identifies the implementation status of the control or control objective. + + + The control is fully implemented. + The control is partially implemented. + There is a plan for implementing the control as explained in the remarks. + There is an alternative implementation for this control as explained in the remarks. + This control does not apply to this system as justified in the remarks. + + + + + + + + + + + + System User + A type of user that interacts with the system based on an associated role. + + User Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + User Title + A name given to the user, which may be used by a tool for display and navigation. + + + User Short Name + A short common name, abbreviation, or acronym for the user. + + + User Description + A summary of the user's purpose within the system. + + + + + + + + + + + + + + + + + + + The type of user, such as internal, external, or general-public. + The user's privilege level within the system, such as privileged, non-privileged, no-logical-access. + + + A user account for a person or entity that is part of the organization who owns or operates the system. + A user account for a person or entity that is not part of the organization who owns or operates the system. + A user of the system considered to be outside + + + This role has elevated access to the system, such as a group or system administrator. + This role has typical user-level access to the system without elevated access. + This role has no access to the system, such as a manager who approves access as part of a process. + + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + + Members of the security operations center (SOC). + + Members of the network operations center (NOC). + Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions. + Responsible for providing information and support to users. + + Responsible for the configuration management processes governing changes to the asset. + + + +

Permissible values to be determined closer to the application, such as by a receiving authority.

+
+
+ + Privilege + Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege. + + + Privilege Title + A human readable name for the privilege. + + + Privilege Description + A summary of the privilege's purpose within the system. + + + + + + + + Functions Performed + Describes a function performed for a given authorized privilege by this user class. + + + + + + Inventory Item + A single managed inventory item within the system. + + + Inventory Item Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + + + Inventory Item Description + A summary of the inventory item stating its purpose within the system. + + + + + + + + + + + + + Implemented Component + The set of components that are implemented in a given system inventory item. + + + Component Universally Unique Identifier Reference + + A machine-oriented identifier reference to a component that is implemented as part of an inventory item. + + + + + + + + + + + + + + + +

This construct is used to either: 1) associate a party or parties to a role defined on the component using the responsible-role construct, or 2) to define a party or parties that are responsible for a role defined within the context of the containing inventory-item. +

+
+
+ +
+ + + + + + + + The version of the component. + The specific patch level of the component. + The model of the component. + + The date the component was released, such as a software release date or policy publication date. + Used with component-type='validation' to provide a well-known name for a kind of validation. + Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component. + + Simple indication of the asset's function, such as Router, Storage Array, DNS Server. + An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item. + An asset tag assigned by the organization responsible for maintaining the logical or tangible item. + Identifies whether the asset is publicly accessible (yes/no) + Identifies whether the asset is virtualized (yes/no) + Virtual LAN identifier of the asset. + The network identifier of the asset. + A human-readable label for the parent context. + An alternative identifier, whose value is easily sortable among other such values in the document. + The name of the baseline configuration for the asset. + Can the asset be check with an authenticated scan? (yes/no) + The function provided by the asset for the system. + **(deprecated)** Use 'model' instead. + The model of system used by the asset. + The name of the operating system used by the asset. + The version of the operating system used by the asset. + The software product name used by the asset. + The software product version used by the asset. + The software product patch level used by the asset. + + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + + Members of the security operations center (SOC). + + Members of the network operations center (NOC). + Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions. + Responsible for providing information and support to users. + + Responsible for the configuration management processes governing changes to the asset. + + + + + +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ +
+ + + The Internet Protocol v4 Address of the asset. + The Internet Protocol v6 Address of the asset. + The full-qualified domain name (FQDN) of the asset. + A Uniform Resource Identifier (URI) for the asset. + A serial number for the asset. + The NetBIOS name for the asset. + The media access control (MAC) address for the asset. + The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers). + is the asset subjected to network scans? (yes/no) + + Simple indication of the asset's function, such as Router, Storage Array, DNS Server. + An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item. + An asset tag assigned by the organization responsible for maintaining the logical or tangible item. + Identifies whether the asset is publicly accessible (yes/no) + Identifies whether the asset is virtualized (yes/no) + Virtual LAN identifier of the asset. + The network identifier of the asset. + A human-readable label for the parent context. + An alternative identifier, whose value is easily sortable among other such values in the document. + The name of the baseline configuration for the asset. + Can the asset be check with an authenticated scan? (yes/no) + The function provided by the asset for the system. + **(deprecated)** Use 'model' instead. + The model of system used by the asset. + The name of the operating system used by the asset. + The version of the operating system used by the asset. + The software product name used by the asset. + The software product version used by the asset. + The software product patch level used by the asset. + + + + + System software that manages computer hardware, software resources, and provides common services for computer programs. + An electronic collection of data, or information, that is specially organized for rapid search and retrieval. + A system that delivers content or services to end users over the Internet or an intranet. + A system that resolves domain names to internet protocol (IP) addresses. + A computer system that sends and receives electronic mail messages. + A system that stores, organizes and provides access to directory information in order to unify network resources. + A private branch exchange (PBX) provides a a private telephone switchboard. + A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. + A physical or virtual networking device that forwards data packets between computer networks. + A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device. + A consolidated, block-level data storage capability. + A physical or virtual machine that centralizes hardware, software, or services for a specific purpose. + + + The name of the company or organization + + + The asset is included in periodic vulnerability scanning. + The asset is not included in periodic vulnerability scanning. + + + A reference to the baseline template used to configure the asset. + + + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + + Members of the security operations center (SOC). + + Members of the network operations center (NOC). + Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions. + Responsible for providing information and support to users. + + Responsible for the configuration management processes governing changes to the asset. + Responsible for the creation and maintenance of a component. + Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller). + + + + + + + + + + +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ + + Control Statement Reference + + A human-oriented identifier reference to a control statement. + + + Set Parameter Value + Identifies the parameter that will be set by the enclosed value. + + + + + Parameter Value + A parameter value or set of values. + + + + + + + + + System Identification + + + A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document. + id + + Identification System Type + Identifies the identification system from which the provided identifier was assigned. + + + **deprecated** The identifier was assigned by FedRAMP. This has been deprecated; use http://fedramp.gov/ns/oscal instead. + The identifier was assigned by FedRAMP. + **deprecated** A Universally Unique Identifier (UUID) as defined by RFC4122. This value has been deprecated; use http://datatracker.ietf.org/doc/html/rfc4122 instead. + **deprecated** A Universally Unique Identifier (UUID) as defined by RFC4122. This value has been deprecated; use http://datatracker.ietf.org/doc/html/rfc4122 instead. + A Universally Unique Identifier (UUID) as defined by RFC4122. + + + +

This value must be an absolute URI that serves as a naming system identifier.

+
+
+
+ + + + Parameter ID + + A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context. + + Example of a human-oriented parameter reference. + + System ISSO + + + +
diff --git a/release-metaschemas/oscal_mapping-common_metaschema_RESOLVED.xml b/release-metaschemas/oscal_mapping-common_metaschema_RESOLVED.xml new file mode 100644 index 000000000..41c0469d0 --- /dev/null +++ b/release-metaschemas/oscal_mapping-common_metaschema_RESOLVED.xml @@ -0,0 +1,659 @@ + + + + OSCAL Mapping Model -- Common Models + 1.2.1 + oscal-mapping-common + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + + + + + + + Control Mapping + A mapping between two target resources. + + Mapping Universally Unique Identifier + A + machine-oriented, globally + unique identifier with + cross-instance scope that can be used to reference this mapping definition + elsewhere in this or other OSCAL instances. The locally defined UUID of the + mapping can be used to reference the data item locally or globally (e.g., in + an imported OSCAL instance). This UUID should be assigned + per-subject, which means it should be consistently used to identify the same + mapping across revisions of the document. + + + + + + + source-resource + + + target-resource + + + + + + + + + + + + + + source-gap-summary + + + target-gap-summary + + + + + + + Mapping Entry + A relationship-based mapping between a source and target set consisting of + members (i.e., controls, control statements) from the respective source and target. + + Mapping Entry Identifier + The unique identifier for the mapping entry. + + + Relationship Value Namespace + A namespace qualifying the relationship's value. This allows + different organizations to associate distinct semantics for relationships + with the same name. + +

This value must be an absolute + URI that serves as a naming + system identifier.

+

When a ns is not provided, its value should be assumed to be + http://csrc.nist.gov/ns/oscal and the name should be a name defined by + the associated OSCAL model.

+
+
+ + + + Mapping Entry Relationship + The relationship type for the mapping entry, which describes the + relationship between the effective requirements of the specified source and + target sets in the context of the matching-rationale method globaly + defined in the provenance unless overwritten locally in the + map. The relationship type and the matching-rationale + must be used together. However, more than one matching-rationale + method may apply to a source and target pair. + type + + + The source and target + requirements are similar, although not necessarily identical. The words + may differ, but both mapped sets convey similar information with the + same effective meaning. This relationship may be reversed, since `A + equivalent-to B` also means that `B equivalent-to A`. This relationship + is less suitable for a syntactic + matching-rationale + . + The source and target + requirements are the same. Differences in capitalization, spelling, and + grammar can be ignored, if these differences do not change the meaning. + This relationship may be reversed, since `A equal-to B` also means that + `B equal-to A`. + The source requirements are a subset of + target requirements. In other words, target contains + all sourcerequirements and aditional others. This + relationship may be reversed as a `superset-of`, since `A subset-of B` + also means that `B superset-of A`. + The source requirements are a + superset of target requirements. In other words, + source contains all targetrequirements and aditional + others. This relationship may be reversed as a `subset-of`, since `A + superset-of B` also means that `B subset-of A`. + The source and target + requirements have some overlap, but each includes content that the other + does not. This relationship may be reversed, since `A intersects-with B` + also means that `B intersects-with A`. A mapping at statement level + could result on relationships mapping that allows for more + inference than using this relationship type. + The source and target + requirements are not related; their content does not overlap. This + relation is introduced not with the intention to support exhaustiv + mapping of all requirements and statements that have no overlap, but + rather to support edge cases such is the need to tailor a + relationship in the context of a component or system to better + align with the implementation and configuration of the respective + component or system. Also, this relationship is provided in + support of the NIST IR + 8477. + + + +

For example, consider the CSF 1.1's PR.AC-1, "Identities and credentials are + issued, managed, verified, revoked, and audited for authorized devices, + users and processes", and the Privacy Framework's PR.AC-P1, "Identities and + credentials are issued, managed, verified, and devices."

+

These two requirements have identical wording except for "users” versus + “individuals” and the order of the last few words. With a + `matching-rationale` of syntactic, the relationship type would beintersects + with because the two overlap, but each includes content that the other does + not. However, with a rationale of semantic, the relationship type would be + equal if “users” and “individuals” have the same meaning in their respective + sources, subset if “users” was a subset of “individuals,” and so on.

+

When establishing relationships, mapping SHOULD be done at the control + statement level where possible. This approach allows for a more accurate + relationship.

+
+
+ + source + + + + target + + + + qualifier + + + + + + + + + + + +
+
+ + Mapping Entry Item (source or target) + A specific edge within a source or target that is the subject of a mapping. + + Subject Type + The semantic type of the subject. + + + A control as + defined by OSCAL. + A textual element of a control that defines part of the + control's requirements. + + + + + Subject Identifier Reference + A reference to an identified subject that is of the specified type + . + + + + + + + + + + + + + Mapped Resource Reference + A reference to a resource that is either the source or the target of a mapping. + + Resource Type Namespace + An optional namespace qualifying the resource's type. + +

This value must be an absolute URI that serves as a naming system identifier.

+

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the type should be a type defined by the associated OSCAL model.

+
+
+ + Resource Type + The semantic type of the resource. + + + The mapped resource is a control catalog. + The mapped resource is a control profile. A resolved + profile is also accepted. + + + +

The type value must be interpreted in the context of the + associated ns value.

+

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal + and this type should be set to one of the OSCAL defined values.

+
+
+ + Catalog or Profile Reference + A resolvable URL reference to the base catalog or profile that this profile + is tailoring. + +

This value may be one of:

+
    +
  1. an absolute + URI that points to a network resolvable resource,
  2. +
  3. a relative + reference pointing to a network resolvable resource whose base URI is + the URI of the containing document, or
  4. +
  5. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter + resource in this or an imported document (see linking + to another OSCAL object).
  6. +
+
+
+ + + + + + + + + +
+ + + Relationship Qualifier + Describes requirements, incompatibilities and gaps that are identified between + a target and source in a mapping item. + + Subject + The focus of the qualifier. + + + This qualifier is related to the source in the mapped + relationship. + This qualifier is related to the target in the mapped + relationship. + This qualifier is related to both the source and target in + the mapped relationship. + + + + + Predicate + The predicate describes how the qualifer applies to the subject. + + + The subject has a requirement that must be met for + the relationship to be satisfied. + The subject has an incompatibility which + impacts the relationship. + + + + + Category + The category expresses the resolvable nature of the predicate. + + + A restriction exists, and is defined in the + description. + The qualifier is addressable, and is outlined in the + description. + The mapping is blocked due to the reason noted in the + description. + + + + + + Description of the qualifier + Details that outline what requirements must be met, or cannot be met. + If the qualifier identifies a gap, this should idenfity the gap, and any + incompatibilities. + + + + + + + Mapping Provenance + Describes requirements, incompatibilities and gaps that are identified between + a target and source in a mapping item. + + + + + + + + + + + + + + + + + + + + + + + + + Gap Summary + A by-id collection of all controls that were not mapped at all in this + mapping-collection. If a control is partially mapped, the parts of the control + are not mappable, the gap and discrepancies should be documented in the + relationship-gal. + + Gap Summary Universally Unique Identifier + A + machine-oriented, globally + unique identifier with + cross-instance scope that can be used to reference this mapping gap summary + elsewhere in this + or other OSCAL instances. The locally defined UUID of the SSP + can be used to reference the data item locally or globally (e.g., in an imported + OSCAL instance).This UUID should be assigned + per-subject, which means it should be consistently used to identify the same + subject across revisions of the document. + + + + unmapped-controls + + +

If with-child-controls is yes on the call to a control, + any controls appearing within it (child controls) will be selected, with no + additional call directives required. This flag provides a way + to include controls with all their dependent controls (enhancements) without + having to call them individually.

+
+
+
+
+ + + + + + + + Confidence Score + This records either a string category or a decimal value from 0-1 representing a percentage. Both of these values describe an estimation of the author's confidence + that this mapping is correct and accurate. + + + + + + No category is specified for the confidence score. + High confidence in the mapping. + Medium confidence in the mapping. + Low confidence in the mapping. + + + + + + + + + + + + + + + + Coverage + A decimal value from 0-1, representing the percentage coverage of the targets by the sources. + target-coverage + + Coverage Generation Method + The method used to determine the coverage value. + + + The coverage value is a qualitative estimate of coverage with no strict formula. + + + + +

This field is scoped - that is, it can be used at the document-level, the mapping level, or the individual map item level. It only applies to targets and sources within it's scope.

+

Coverage is calculated by taking the full set of all targets in-scope and the full set of all sources in-scope, then applying the "generation-method" to the two sets. + By default the method is an arbitrary estimation of coverage.

+

In a general sense "coverage" is defined as the percent of the set of targets that have mapped to by the set of sources, + where each map is an "equivalent-to" or "equal-to" valued "relationship". Where relationship is "subset-of" or otherwise, it counts as an appropriate fraction of a full map.

+

Since coverage is derived from mapping relationships, it is defined in the context of the mapping's "matching-rationale" - that is, the method used to determine relationships.

+
+
+ + Percentage + A decimal value from 0-1, representing a percentage. + + + Mapping Description + Description of the context and intended use of the mapping set. + +

The value of this field applies to the entire document if found in the top-level + mapping provenance, otherwise it applies to the specific mapping in which it is found.

+

If this field appears in both locations, the lower-scoped value overrides while within it's scope.

+
+
+ + + + + Matching + The method used for relating controls within the mapping. The supported methods + are aligned with the NIST + Interagency Report (IR) 8477, Section 4.3 Set Theory Relationship Mapping. + + + Syntactic: How similar is the wording that + expresses the two concepts. This is a word-for-word analysis of the + relationship, not an interpretation of the language. + Semantic: How similar are the meanings of the two + concepts? This involves some interpretation of each concept’s language. + Functional: How similar are the results of + executing the two concepts? This involves understanding what will happen if the + two concepts are implemented, performed, or otherwise executed. + + + +

The value of this flag applies to the entire document if found in the top-level + mapping provenance, otherwise it applies to the specific mapping in which it is found.

+

If this flag appears in both locations, the lower-scoped value overrides while within it's scope.

+
+
+ + Status + The current status of this mapping document. + + + Complete + Not Complete + Draft + Deprecated + Superseded + + + +

The value of this flag applies to the entire document if found in the top-level + mapping provenance, otherwise it applies to the specific mapping in which it is found.

+

If this flag appears in both locations, the lower-scoped value overrides while within it's scope.

+
+
+ + Method + The method used to complete the overall mapping. + + + Human + Automation + Hybrid + + + +

The value of this flag applies to the entire document if found in the top-level + mapping provenance, otherwise it applies to the specific mapping in which it is found.

+

If this flag appears in both locations, the lower-scoped value overrides while within it's scope.

+
+
+ + + Matching Pattern + A glob expression + matching the IDs of one or more controls to be selected. + + + + Include Contained Controls with Control + When a control is included, whether its child (dependent) controls are also + included. + + + Include child controls with an included control. + When importing a control, only include child controls that are also + explicitly called. + + + +
diff --git a/release-metaschemas/oscal_mapping_metaschema_RESOLVED.xml b/release-metaschemas/oscal_mapping_metaschema_RESOLVED.xml new file mode 100644 index 000000000..36864c0df --- /dev/null +++ b/release-metaschemas/oscal_mapping_metaschema_RESOLVED.xml @@ -0,0 +1,46 @@ + + + + + + OSCAL Control Mapping Model + 1.2.1 + oscal-mapping + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

The OSCAL Control mapping format can be used to describe how a collection of security controls and related control enhancements relate to another collection of controls. The root of the Control Catalog format is mapping-collection. +

+
+ + + + Mapping Collection + A collection of relationship-based control and/or control statement mappings. + mapping-collection + + Mapping Collection Universally Unique Identifier + A globally unique identifier with cross-instance scope for this catalog instance. This UUID should be changed when this document is revised. + + + + + provenance + + + + + + +

Back matter including references and resources.

+
+
+
+ +

A mapping collection affirmatively declares the relationships that exist between sets of controls and/or control statements in a source and target. It is expected that inferences can be made based on what is mapped; however, no inferences should be made based on what is not mapped, since it is impossible to quantify how complete or granular a given mapping is.

+
+
+
diff --git a/release-metaschemas/oscal_metadata_metaschema_RESOLVED.xml b/release-metaschemas/oscal_metadata_metaschema_RESOLVED.xml new file mode 100644 index 000000000..2e946cd48 --- /dev/null +++ b/release-metaschemas/oscal_metadata_metaschema_RESOLVED.xml @@ -0,0 +1,1191 @@ + + + + + + + OSCAL Document Metadata Description + 1.2.1 + oscal-metadata + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + + + + + Document Metadata + Provides information about the containing document, and defines concepts that are shared across the document. + + + Document Title + A name given to the document, which may be used by a tool for display and navigation. + + + + + + + Revision History Entry + An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first). + + + + Document Title + A name given to the document revision, which may be used by a tool for display and navigation. + + + + + + + + + + + + + + + + + The link identifies the authoritative location for this resource. Defined by RFC 6596. + The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard + + This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829. + This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829. + This link identifies a resource containing the version history of this document. Defined by RFC 5829. + + + + +

While published, last-modified, and oscal-version are not required, values for these entries should be provided if the information is known. A link with a rel of source should be provided if the information is known.

+
+
+ + + + + + + + + + + Role + Defines a function, which might be assigned to a party in a specific situation. + + + + Role Identifier + A unique identifier for the role. + + + + + + + + + + Role Title + A name given to the role, which may be used by a tool for display and navigation. + + + Role Short Name + A short common name, abbreviation, or acronym for the role. + + + + Role Description + A summary of the role's purpose and associated responsibilities. + + + + + + + + + + + + + + +

Permissible values to be determined closer to the application (e.g. by a receiving authority).

+

OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.

+
+
+ + Location + A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document. + + + Location Universally Unique Identifier + A unique ID for the location, for reference. + + + + Location Title + A name given to the location, which may be used by a tool for display and navigation. + + + +

The physical address of the location, which will provided for physical locations. Virtual locations can omit this data item.

+
+
+ + + +

A contact email associated with the location.

+
+
+ + + +

A phone number used to contact the location.

+
+
+ + Location URL + The uniform resource locator (URL) for a web site or other resource associated with the location. + + +

This data field is deprecated in favor of using a link with an appropriate relationship.

+
+
+ + + + + + + +
+ + + Characterizes the kind of location. + + + A location that contains computing assets. A class can be used to indicate the sub-type of data-center as primary or alternate. + + + The location is a data-center used for normal operations. + The location is a data-center used for fail-over or backup operations. + + + In most cases, it is useful to define a location. In some cases, defining an explicit location may represent a security risk. + + + A location must have at least a title, address, email-address, or telephone number. + + + +

An address might be sensitive in nature. In such cases a title, mailing address, email-address, and/or phone number may be used instead.

+
+
+ + Party + An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document. + + + Party Universally Unique Identifier + + A unique identifier for the party. + + + + + + + + Party Type + A category describing the kind of party the object describes. + + + A human being regarded as an individual. + An organized group of one or more person individuals with a specific purpose. + + + + + + Party Name + The full name of the party. This is typically the legal name associated with the party. + + + Party Short Name + A short common name, abbreviation, or acronym for the party. + + + + Party External Identifier + An identifier for a person or organization using a designated + scheme. e.g. an Open Researcher and Contributor ID + (ORCID). + id + + + External Identifier Schema + Indicates the type of external identifier. + + + The identifier is Open Researcher and Contributor ID (ORCID). + + + +

This value must be an absolute URI that serves as a naming system identifier.

+
+
+
+ + + + + + + + + +

This is a contact email associated with the party.

+
+
+ + + +

A phone number used to contact the party.

+
+
+ + + + + + + + + + Organizational Affiliation + + A reference to another party by UUID, typically an organization, that this subject is associated with. + + + + + + + + + + + +

Since the reference target of an organizational affiliation must be another party (whether further qualified as person or organization) as indicated by its uuid. As a machine-oriented identifier with uniqueness across document and trans-document scope, this uuid value is sufficient to reference the data item locally or globally across related documents, e.g., in an imported OSCAL instance.

+

Parties of both the person or organization type can be associated with an organization using the member-of-organization.

+
+
+ +
+ + + A mail stop associated with the party. + The name or number of the party's office. + The formal job title of a person. + + + +

A party can be optionally associated with either an address or a location. While providing a meaningful location for a party is desired, there are some cases where it might not be possible to provide an exact location or even any location.

+
+
+ + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+ + Indicates the person or organization that created this content. + Indicates the person or organization that prepared this content. + Indicates the person or organization for which this content was created. + Indicates the person or organization responsible for all content represented in the "document". + Indicates the person or organization to contact for questions or support related to this content. + + + The value identifies a comma-seperated listing of keywords associated with this content. These keywords may be used as search terms for indexing and other applications. + + + The link identifies the authoritative location for this resource. Defined by RFC 6596. + The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard + + This link identifies a resource containing the latest version in the version history. Defined by RFC 5829. + This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829. + This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829. + + + + + +

The combination of scheme and the field value must be unique.

+
+
+
+ +

All OSCAL documents use the same metadata structure, that provides a consistent way of expressing OSCAL document metadata across all OSCAL models. The metadata section also includes declarations of individual objects (i.e., roles, location, parties) that may be referenced within and across linked OSCAL documents.

+

The metadata in an OSCAL document has few required fields, representing only the bare minimum data needed to differentiate one instance from another. Tools and users creating OSCAL documents may choose to use any of the optional fields, as well as extension mechanisms (e.g., properties, links) to go beyond this minimum to suit their use cases.

+

A publisher of OSCAL content can use the published, last-modified, and version fields to establish information about an individual in a sequence of successive revisions of a given OSCAL-based publication. The metadata for a previous revision can be represented as a revision within this object. Links may also be provided using the predecessor-version and successor-version link relations to provide for direct access to the related resource. These relations can be provided as a link child of this object or as link within a given revision.

+

A responsible-party entry in this context refers to roles and parties that have responsibility relative to the production, review, publication, and use of the containing document.

+
+
+ + Location Universally Unique Identifier Reference + + Reference to a location by UUID. + + + + + + + + + + + + Party Universally Unique Identifier Reference + + Reference to a party by UUID. + + + + + + + + + + + + Role Identifier Reference + + Reference to a role by UUID. + + + + + + + + + + + + + + + Back matter + A collection of resources that may be referenced from within the OSCAL document instance. + + + Resource + A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources. + + + Resource Universally Unique Identifier + A unique identifier for a resource. + + + + + Resource Title + An optional name given to the resource, which may be used by a tool for display and navigation. + + + Resource Description + An optional short summary of the resource used to indicate the purpose of the resource. + + + + + + + + + Citation + An optional citation consisting of end note text using structured markup. + + + Citation Text + A line of citation text. + + + + + + + + + + + Resource link + A URL-based pointer to an external resource with an optional hash for verification and change detection. + + + Hypertext Reference + A resolvable URL pointing to the referenced resource. + +

This value may be either:

+
    +
  1. an absolute URI that points to a network resolvable resource,
  2. +
  3. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  4. +
+
+
+ + + + A hash of the resource identified by href, which can be used to verify the resource was not changed since it was hashed. + + +

The hash value can be used to confirm that the resource referenced by the href is the same resources that was hashed by retrieving the resource, calculating a hash, and comparing the result to this value.

+
+
+
+ +

Multiple rlink objects can be included for a resource. In such a case, all provided rlink items are intended to be equivalent in content, but may differ in structure or format.

+

A media-type is used to identify the format of a given rlink, and can be used to differentiate items in a collection of rlinks. The media-type provides a hint to the OSCAL document consumer about the structure of the resource referenced by the rlink. +

+
+
+ + Base64 + A resource encoded using the Base64 alphabet defined by RFC 2045. + value + + File Name + Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded. + + + + + +
+ + + Identifies the type of resource represented. The most specific appropriate type value SHOULD be used. + For resources representing a published document, this represents the version number of that document. + For resources representing a published document, this represents the publication date of that document. + + + + + Indicates the resource is an organization's logo. + Indicates the resource represents an image. + Indicates the resource represents an image of screen content. + Indicates the resource represents an applicable law. + Indicates the resource represents an applicable regulation. + Indicates the resource represents an applicable standard. + Indicates the resource represents applicable guidance. + Indicates the resource provides a list of relevant acronyms. + Indicates the resource cites relevant information. + + Indicates the resource is a policy. + Indicates the resource is a procedure. + Indicates the resource is guidance document related to the subject system of an SSP. + Indicates the resource is guidance document a user's guide or administrator's guide. + Indicates the resource is guidance document a administrator's guide. + Indicates the resource represents rules of behavior content. + Indicates the resource represents a plan. + + Indicates the resource represents an artifact, such as may be reviewed by an assessor. + Indicates the resource represents evidence, such as to support an assessment finding. + Indicates the resource represents output from a tool. + Indicates the resource represents machine data, which may require a tool or analysis for interpretation or presentation. + Indicates the resource represents notes from an interview, such as may be collected during an assessment. + Indicates the resource is a set of questions, possibly with responses. + Indicates the resource is a report. + Indicates the resource is a formal agreement between two or more parties. + + + A resource should provide at least an rlink or base64 object. + + + Ensure that each rlink item references a unique resource. + + + + + Ensure that all base64 resources have a unique filename. + + + + A title is required when a citation is provided. + + + + +

A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a rlink, or 2) it may be included as an attachment using a base64. A resource may contain multiple rlink and base64 entries that represent alternative download locations (rlink) and attachments (base64) for the same resource.

+

Both rlink and base64 allow for a media-type to be specified, which is used to distinguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiple rlink and base64 items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item's media-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.

+

When a resource includes a citation, then the title and citation properties must both be included.

+
+
+
+ + + + + + +

Provides a collection of identified resource objects that can be referenced by a link with a rel value of "reference" and an href value that is a fragment "#" followed by a reference to a reference's uuid. Other specialized link "rel" values also use this pattern when indicated in that context of use.

+
+ + + Use of link, citation, and resource + +

The following is a contrived example to show the use of link, citation, and resource.

+
+ + + My citation + + + + + + + +
+
+ + + + + Property + An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. + prop + + Property Name + A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object. + + + Property Universally Unique Identifier + + A unique identifier for a property. + + + Property Namespace + A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name. + +

This value must be an absolute URI that serves as a naming system identifier.

+

When a ns is not provided, its value should be assumed to be http://csrc.nist.gov/ns/oscal and the name should be a name defined by the associated OSCAL model.

+
+
+ + Property Value + Indicates the value of the attribute, characteristic, or quality. + + + Property Class + A textual label that provides a sub-type or characterization of the + property's name. + +

This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns, or to group properties into categories.

+

A class can be used in validation rules to express extra constraints over named items of a specific class value. It is available for grouping, but unlike group is not expected specifically to designate any group membership as such.

+
+
+ + Property Group + An identifier for relating distinct sets of properties. + +

Different sets of properties may relate to separate contexts. Declare a group on a property to associate it with one or more other properties in a given context.

+
+
+ + + + + + A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value. + + + +

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

+

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

+
+
+ + Link + A reference to a local or remote resource, that has a specific relation to the containing object. + + Hypertext Reference + A resolvable URL reference to a resource. + +

This value may be one of:

+
    +
  1. an absolute URI that points to a network resolvable resource,
  2. +
  3. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  4. +
  5. a bare URI fragment (i.e., `#uuid`) pointing to an OSCAL object by the objects identifier (e.g., id, uuid) in this or an imported document (see linking to another OSCAL object). The specific object type will differ based on the link relationship type.
  6. +
+
+
+ + Link Relation Type + Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose. + + + A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment. + + + + + Link Media Type + +

The media-type provides a hint about the content model of the referenced resource. A valid entry from the IANA Media Types registry SHOULD be used.

+
+
+ + Resource Fragment + In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded. + + + + Link Text + A textual label to associate with the link, which may be used for presentation in a tool. + + + + + A local reference SHOULD NOT have a media-type. + +

Since both link and back-matter/resource both allow specification of a media-type, the media-type on link may conflict with the any media-type entries on a resource's rlink or base64 objects. This constraint prevents this from occurring.

+
+
+ + + + + + + +

This pattern is based on the fragment Augmented Backus-Naur form (ABNF) syntax provided in [RFC3986 section 3.5](https://www.rfc-editor.org/rfc/rfc3986#section-3.5). Uppercase alpha hex digits are required, which is the preferred normalized form defined in RFC3986.

+
+
+
+ +

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

+

The OSCAL link is a roughly based on the HTML link element. +

+
+ + Providing for link integrity + +

The following is a contrived example to show the use of link, citation, and resource.

+
+ + My Hashed Resource + ...snip... + + + + C2E9C1..snip..F88D2E + + + + +
+
+ + Responsible Party + A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object. + + Responsible Role + + A reference to a role performed by a party. + + + + + + + Specifies one or more parties responsible for performing the associated role. + + + + + + + + + + + + + + + + +

A responsible-party requires one or more party-uuid references creating a strong relationship arc between the referenced role-id and the reference parties. This differs in semantics from responsible-role which doesn't require that a party-uuid is referenced.

+

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

+
+
+ + Action + An action applied by a role within a given party to the content. + + Action Universally Unique Identifier + A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document. + + + Action Occurrence Date + The date and time when the action occurred. + + + Action Type + The type of action documented by the assembly, such as an approval. + + + Action Type System + Specifies the action type system used. + +

Provides a means to segment the value space for the type, so that different organizations and individuals can assert control over the allowed action's type. This allows the semantics associated with a given type to be defined on an organization-by-organization basis.

+

An organization MUST use a URI that they have control over. e.g., a domain registered to the organization in a URI, a registered uniform resource names (URN) namespace.

+
+
+ + + + + + + + + + + + + + + + + + + + + This value identifies action types defined in the NIST OSCAL namespace. + + + An approval of a document instance's content. + A request from the responsible party or parties to change the content. + + +
+ + Responsible Role + A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role. + + Responsible Role ID + A human-oriented identifier reference to a role performed. + + + + + + + + + + Specifies zero or more parties responsible for performing the associated role. + + + + + +

A responsible-role allows zero or more party-uuid references, each of which creates a relationship arc between the referenced role-id and the referenced party. This differs in semantics from responsible-party, which requires that at least one party-uuid is referenced.

+

The scope of use of this object determines if the responsibility has been performed or will be performed in the future. The containing object will describe the intent.

+
+
+ + + Hash + A representation of a cryptographic digest generated over a resource using a specified hash algorithm. + value + + Hash algorithm + The digest method by which a hash is derived. + + + The SHA-224 algorithm as defined by NIST FIPS 180-4. + + The SHA-256 algorithm as defined by NIST FIPS 180-4. + + The SHA-384 algorithm as defined by NIST FIPS 180-4. + + The SHA-512 algorithm as defined by NIST FIPS 180-4. + + The SHA3-224 algorithm as defined by NIST FIPS 202. + + The SHA3-256 algorithm as defined by NIST FIPS 202. + + The SHA3-384 algorithm as defined by NIST FIPS 202. + + The SHA3-512 algorithm as defined by NIST FIPS 202. + + + + +

Any other value used MUST be a value defined in the W3C XML Security Algorithm Cross-Reference Digest Methods (W3C, April 2013) or RFC 6931 Section 2.1.5 New SHA Functions.

+
+
+ + + + + + +
+ + Media Type + A label that indicates the nature of a resource, as a data serialization or + format. + +

The Internet Assigned Numbers Authority (IANA) Media + Types Registry defines a standardized set of media types, which may be used + here.

+

The application/oscal+xml, application/oscal+json or application/oscal+yaml media types SHOULD be used when referencing OSCAL XML, JSON, or YAML resources respectively.

+

**Note: There is no official media type for YAML at this time.** OSCAL documents should specify application/yaml for general YAML content, or application/oscal+yaml for YAML-based OSCAL content. This approach aligns with use of a structured name suffix, per RFC 6838 Section 4.2.8.

+

Some earlier OSCAL content incorporated the model into the media type. For example: application/oscal.catalog+xml. This practice SHOULD be avoided, since the OSCAL model can be detected by parsing the initial content of the referenced resource.

+
+
+ + Remarks + Additional commentary about the containing object. + +

The remarks field SHOULD not be used to store arbitrary data. Instead, a prop or link should be used to annotate or reference any additional data not formally supported by OSCAL.

+
+
+ + + + + Publication Timestamp + The date and time the document was last made available. + +

Typically, this date value will be machine-generated at the time the containing document is published.

+

In some cases, an OSCAL document may be derived from some source material provided in a different format. In such a case, the published value should indicate when the OSCAL document instance was last published, not the source material.

+ +
+
+ + Last Modified Timestamp + The date and time the document was last stored for later retrieval. + +

This value represents the point in time when the OSCAL document was last updated, or at the point of creation the creation date. Typically, this date value will be machine generated at time of creation or modification. Ideally, this field will be managed by the editing tool or service used to make modifications when storing the modified document.

+

The intent of the last modified timestamp is to distinguish between significant change milestones when the document may be accessed by multiple entities. This allows a given entity to differentiate between multiple document states at specific points in time. It is possible to make multiple modifications to the document without storing these changes. In such a case, the last modified timestamp might not be updated until the document is finally stored.

+

In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified value should indicate the last modification time of the OSCAL document instance, not the source material.

+
+
+ + Document Version + Used to distinguish a specific revision of an OSCAL document from other previous and future versions. + +

A version may be a release number, sequence number, date, or other identifier sufficient to distinguish between different document revisions.

+

While not required, it is recommended that OSCAL content authors use Semantic Versioning as the version format. This allows for the easy identification of a version tree consisting of major, minor, and patch numbers.

+

A version is typically set by the document owner or by the tool used to maintain the content.

+
+
+ + OSCAL Version + The OSCAL model version the document was authored against and will conform to as valid. + +

Indicates the version of the OSCAL model to which the document conforms, for example 1.1.0 or 1.0.0-milestone1. That can be used as a hint for a tool indicating which version of the OSCAL XML or JSON schema to use for validation.

+

The OSCAL version serves a different purpose from the document version and is used to represent a different concept. If both have the same value, this is coincidental.

+
+
+ + Email Address + An email address as defined by RFC 5322 Section + 3.4.1. + + + Telephone Number + A telephone service number as defined by ITU-T E.164. + number + + type flag + Indicates the type of phone number. + + + A home phone number. + An office phone number. + A mobile phone number. + + + + + + +

Providing a country code provides an international means to interpret the phone number.

+
+
+
+
+ + Address + A postal address for the location. + + type + + + + + + + + City + City, town or geographical region for the mailing address. + + + State + State, province or analogous geographical region for a mailing + address. + + + Postal Code + Postal or ZIP code for mailing address. + + + Country Code + The ISO 3166-1 alpha-2 country code for the mailing address. + + + + + + + + + Address line + A single line of an address. + + + Address Type + Indicates the type of address. + + + A home address. + A work address. + + + + + Document Identifier + + A document identifier qualified by an identifier + scheme. + identifier + + Document Identification Scheme + Qualifies the kind of document identifier using a URI. If the scheme is not + provided the value of the element will be interpreted as a string of + characters. + + + A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record. + + + +

This value must be an absolute URI that serves as a naming system identifier.

+
+
+ +

A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions, representations or digital surrogates of the same document.

+

A document identifier provides an additional data point for identifying a document that can be assigned by a publisher or organization for purposes in a wider system, such as a digital object identifier (DOI) or a local content management system identifier.

+

Use of a document identifier allows for document creators to associate sets of documents that are related in some way by the same document-id.

+

An OSCAL document always has an implicit document identifier provided by the document's UUID, defined by the uuid on the top-level object. Having a default UUID-based identifier ensures all documents can be minimally identified when other document identifiers are not provided.

+
+
+
diff --git a/release-metaschemas/oscal_poam_metaschema_RESOLVED.xml b/release-metaschemas/oscal_poam_metaschema_RESOLVED.xml new file mode 100644 index 000000000..db809d4d2 --- /dev/null +++ b/release-metaschemas/oscal_poam_metaschema_RESOLVED.xml @@ -0,0 +1,196 @@ + + + + OSCAL Plan of Action and Milestones (POA&M) Model + 1.2.1 + oscal-poam + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

The OSCAL Plan of Action and Milestones (POA&M) format is used to describe the information typically provided by an assessor during the preparation for an assessment.

+

The root of the OSCAL Plan of Action and Milestones (POA&M) format is plan-action-milestones. +

+
+ + + + + + + Plan of Action and Milestones (POA&M) + A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP. + plan-of-action-and-milestones + + POA&M Universally Unique Identifier + + A machine-oriented, globally unique identifier with instancescope that can be used to reference this POA&M instance in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + + + +

Used by the POA&M to import information about the system.

+
+
+ + + + + + + + + + + + + + + + + + + +
+ +

Either an OSCAL-based SSP must be imported, or a unique system-id must be specified. Both may be present.

+
+
+ + Local Definitions + Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M. + + + component + + +

Used to add any components, not defined via the System Security Plan (AR->AP->SSP)

+
+
+ + + +

Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)

+
+
+ + + +

Specifies components or assessment-platforms used in the assessment.

+
+
+ +
+ + + + +

Since multiple component entries can be provided, each component must have a unique uuid.

+
+
+
+
+ + POA&M Item + Describes an individual POA&M item. + + POA&M Item Universally Unique Identifier + + A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + POA&M Item Title + The title or name for this POA&M item . + + + + POA&M Item Description + A human-readable description of POA&M item. + + + + + + + + + Origin + Identifies the source of the finding, such as a tool or person. + + + + actor + + + + +

Used to identify the individual and/or tool generated this poam-item.

+
+
+ + Related Finding + Relates the poam-item to referenced finding(s). + + + Finding Universally Unique Identifier Reference + A machine-oriented identifier reference to a finding defined in the list of findings. + + + + + + + + + + + + + + + + + + + + +
+ + + It is a best practice to provide a UUID. + + +
+
diff --git a/release-metaschemas/oscal_profile_metaschema_RESOLVED.xml b/release-metaschemas/oscal_profile_metaschema_RESOLVED.xml new file mode 100644 index 000000000..8e9b8a4d6 --- /dev/null +++ b/release-metaschemas/oscal_profile_metaschema_RESOLVED.xml @@ -0,0 +1,486 @@ + + + + + OSCAL Profile Model + 1.2.1 + oscal-profile + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

In OSCAL a profile represents a set of selected controls from one or more control catalogs. Such a set of controls can + be referenced by an OSCAL system security plan (SSP) to establish a control baseline. This effective set of controls is produced from an OSCAL + profile using a deterministic, predictable process called profile resolution.

+

A profile references one or more OSCAL catalogs or profiles to import controls for control selection and tailoring. A profile can also describe how a resulting catalog is structured. When the profile is resolved, these selections and modifications are processed to produce a resulting OSCAL catalog.

+

OSCAL profiles have uses beyond establishing control baselines, such as documentation + generation or as reference tables for validations.

+
+ + + + Profile + Each OSCAL profile is defined by a profile + element. + profile + + Profile Universally Unique Identifier + + Provides a globally unique means to identify a given profile instance. + + + + + + + + + + + + + + + + +

An OSCAL document that describes a tailoring of controls from one or more catalogs, with possible modification of multiple controls. It provides mechanisms by which controls may be selected (import), merged or (re)structured (merge), and amended (modify). OSCAL profiles may select subsets of controls, set parameter values for them in application, and even adjust the representation of controls as given in and by a catalog. They may also serve as sources for further modification in and by other profiles, that import them.

+
+
+ + Import Resource + Designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline. + + Catalog or Profile Reference + A resolvable URL reference to the base catalog or profile that this profile is tailoring. + +

This value may be one of:

+
    +
  1. an absolute URI that points to a network resolvable resource,
  2. +
  3. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  4. +
  5. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
  6. +
+
+
+ + + + +

Identifies that all controls are to be included from the imported catalog or profile.

+
+
+ + include-controls + + +

If with-child-controls is yes on the call to a control, any controls appearing within it (child controls) will be selected, with no additional call directives required. This flag provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

+
+
+
+ + exclude-controls + + +

Identifies which controls to exclude, or eliminate, from the set of included controls by control identifier or match pattern.

+
+
+
+ +

The contents of the import element indicate which controls from the source will be included. Controls from the source catalog or profile may be either selected, using the include-all or include-controls directives, or de-selected (using an exclude-controls directive).

+
+ + + + + +
+ + Merge Controls + Provides structuring directives that instruct how controls are organized after profile resolution. + + + Combination Rule + A Combine element defines how to resolve duplicate instances of the same control (e.g., controls with the same ID). + + Combination Method + Declare how clashing controls should be + handled. + + + Use the first definition - the first control with a given ID is used; subsequent ones are discarded + **(deprecated)** **(unspecified)** + Merge - controls with the same ID are + combined + Keep - controls with the same ID are kept, retaining the clash + + + + + + + + + + Flat Without Grouping + Directs that controls appear without any grouping structure. + + + Group As-Is + Indicates that the controls selected should retain their original grouping as defined in the import source. + + + Custom Grouping + Provides an alternate grouping structure that selected controls will be placed in. + + + + + + + + + +

The custom element represents a custom arrangement or organization of controls in the resolution of a catalog. This structuring directive gives the profile author the ability to define an entirely different organization of controls as compared to their source catalog(s).

+
+
+
+
+
+ + Control Group + A group of (selected) controls or of groups of controls. + + + Group Identifier + + Identifies the group. + + + + + + +

This optional data element is available to support hyperlinking to formal groups or families as defined in control catalogs, among other operations.

+
+
+ + Group Class + A textual label that provides a sub-type or characterization of the group. + +

A class can be used in validation rules to express extra constraints over named items of a specific class value.

+

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

+
+
+ + + Group Title + A name to be given to the group for use in display. + + + + + + + + + + + + + + + + + + + + + + + +

This construct mirrors the same construct that exists in an OSCAL catalog.

+
+
+ + Modify Controls + Set parameters or amend controls in resolution. + + + Parameter Setting + A parameter setting, to be propagated to points of + insertion. + + + + Parameter ID + + An identifier for the parameter. + + + + + + + + Parameter Class + A textual label that provides a characterization of the parameter. + +

A class can be used in validation rules to express extra constraints over named items of a specific class value.

+
+
+ + Depends On + **(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used. + + + + + + + + + + Parameter Label + A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned. + +

The label value should be suitable for inline display in a rendered catalog.

+
+
+ + Parameter Usage Description + Describes the purpose and use of a + parameter. + + + constraint + + + + guideline + + + + + value + + +

Used to (re)define a parameter value.

+
+
+ + select + +
+
+
+ + Alteration + Specifies changes to be made to an included control when a profile is resolved. + + + + + Removal + Specifies objects to be removed from a control based on specific aspects of the object that must all match. + + + Reference by (assigned) name + Identify items remove by matching their + assigned name. + + + Reference by class + Identify items to remove by matching their class. + + + Reference by ID + Identify items to remove indicated by their id. + + + Item Name Reference + Identify items to remove by the name of the + item's information object name, e.g. + title or + prop. + + + A descendant parameter and all of its descendants. + A descendant property and all of its descendants. + A descendant link and all of its descendants. + A descendant parameter and all of its descendants. + A descendant mapping and all of its descendants. + A descendant mapping entry (map) and all of its descendants. + + + + + Item Namespace Reference + Identify items to remove by the item's ns, which is the namespace associated with a part, or prop. + + + + + + +

Use by-name, by-class, by-id or by-item-name to indicate class tokens or ID reference, or the formal name, of the component to be removed or erased from a control, when a catalog is resolved. The control affected is indicated by the pointer on the removal's parent (containing) alter element.

+

To change an element, use remove to remove the element, then add to add it back again with changes.

+
+
+ + Addition + Specifies contents to be added into controls, in + resolution. + + + Position + Where to add the new content with respect to + the targeted element (beside it or inside + it). + + + Preceding the by-id target + Following the by-id target + Inside the control or by-id target, at the start + Inside the control or by-id target, at the end + + + + + Reference by ID + Target location of the addition. + + + + Title Change + A name given to the control, which may be used by a tool for display and navigation. + + + + + + + + + + + + + + + + + A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases. + An alternative identifier, whose value is easily sortable among other such values in the document. + An alternate or aliased identifier for the parent context. + + + +

When no by-id is given, the addition is inserted into the control targeted by the alteration at the start or end as indicated by position. Only position values of "starting" or "ending" are permitted when there is no by-id.

+

+ by-id, when given, should indicate, by its ID, an element inside the control to serve as the anchor point for the addition. In this case, position value may be any of the permitted values.

+
+
+
+ +

Use @control-id to indicate the scope of alteration.

+

It is an error for two alter elements to apply to the same control. In practice, multiple alterations can be applied (together), but it creates confusion.

+

At present, no provision is made for altering many controls at once (for example, to systematically remove properties or add global properties); extending this element to match multiple control IDs could provide for this.

+
+
+
+ + + + +

Since multiple set-parameter entries can be provided, each parameter must be set only once.

+
+
+
+
+ + Insert Controls + Specifies which controls to use in the containing context. + + Order + A designation of how a selection of controls in a profile is to be ordered. + + + Use the order of their appearance, using a depth-first traversal of the source profile's imports. + Sort all selected controls into ascending alphanumeric order by their ID. + Sort all selected controls into descending alphanumeric order by their ID. + + + + + + + + include-controls + + + + + exclude-controls + + +

Identifies which controls to exclude, or eliminate, from the set of matching includes.

+
+
+
+ +

To be schema-valid, this element must contain either (but not both) a single include-all directive, or a sequence of include-controls directives.

+

If this directive is not provided, then no controls are to be inserted; i.e., all controls are included explicitly.

+
+
+ + + + + + + + + +
diff --git a/release-metaschemas/oscal_ssp_metaschema_RESOLVED.xml b/release-metaschemas/oscal_ssp_metaschema_RESOLVED.xml new file mode 100644 index 000000000..3ce8f6561 --- /dev/null +++ b/release-metaschemas/oscal_ssp_metaschema_RESOLVED.xml @@ -0,0 +1,1207 @@ + + + + + + OSCAL System Security Plan (SSP) Model + 1.2.1 + oscal-ssp + http://csrc.nist.gov/ns/oscal/1.0 + http://csrc.nist.gov/ns/oscal + +

The OSCAL Control SSP format can be used to describe the information typically specified in a system security plan, such as those defined in NIST SP 800-18.

+

The root of the OSCAL System Security Plan (SSP) format is system-security-plan.

+
+ + + + + + + System Security Plan (SSP) + A system security plan, such as those described in NIST SP 800-18. + system-security-plan + + System Security Plan Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. The locally defined UUID of the SSP can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + + + + + + + + + + + + + + + + + Import Profile + Used to import the OSCAL profile representing the system's control baseline. + + Profile Reference + A resolvable URL reference to the profile or catalog to use as the system's control baseline. + +

This value may be one of:

+
    +
  1. an absolute URI that points to a network resolvable resource,
  2. +
  3. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  4. +
  5. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).
  6. +
+

If the resource is an OSCAL profile, it is expected that a tool will resolve the profile according to the OSCAL profile resolution specification to produce a resolved profile for use when processing the containing system security plan. This allows a system security plan processor to use the baseline as a catalog of controls.

+

While it is possible to reference a previously resolved OSCAL profile as a catalog, this practice is discouraged since the unresolved form of the profile communicates more information about selections and changes to the underlying catalog. Furthermore, the underlying catalog can be maintained separately from the profile, which also has maintenance advantages for distinct maintainers, ensuring that the best available information is produced through profile resolution.

+
+
+ + + +
+ + + + + System Characteristics + Contains the characteristics of the system, such as its name, purpose, and security impact level. + + + + + + System Name - Full + The full name of the system. + + + System Name - Short + A short name for the system, such as an acronym, that is suitable for display in a data table or summary list. + +

Since system-name-short is optional, if the system-name-short is not provided, the system-name can be used as a substitute.

+
+
+ + System Description + A summary of the system. + + + + + + + + + + Security Sensitivity Level + The overall information system sensitivity categorization, such as defined by FIPS-199. + +

Often, organizations require the security sensitivity level to correspond with the highest confidentiality, integrity, or availability level identified by security-impact-level. +

+
+
+ + + + + + + + + + +
+ + + A value of 1, 2, or 3 as defined by SP 800-63-3. + + A value of 1, 2, or 3 as defined by SP 800-63-3. + + A value of 1, 2, or 3 as defined by SP 800-63-3. + + + + As defined by SP 800-63-3. + + As defined by SP 800-63-3. + + As defined by SP 800-63-3. + + + + The associated value is one of: public-cloud, private-cloud, community-cloud, government-only-cloud, hybrid-cloud, or other. + The associated value is one of: saas, paas, iaas, or other. + + + The public cloud deployment model as defined by The NIST Definition of Cloud Computing. + + The private cloud deployment model as defined by The NIST Definition of Cloud Computing. + + The community cloud deployment model as defined by The NIST Definition of Cloud Computing. + + The hybrid cloud deployment model as defined by The NIST Definition of Cloud Computing. + + + A specific type of community-cloud for use only by government services. + Any other type of cloud deployment model that is exclusive to the other choices. + +

The hybrid cloud deployment model, as defined by The NIST Definition of Cloud Computing, can be supported by selecting two or more of the existing deployment models.

+
+
+ + Software as a service (SaaS) cloud service model as defined by The NIST Definition of Cloud Computing. + + Platform as a service (PaaS) cloud service model as defined by The NIST Definition of Cloud Computing. + + Infrastructure as a service (IaaS) cloud service model as defined by The NIST Definition of Cloud Computing. + + Any other type of cloud service model that is exclusive to the other choices. + + + + +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+ + The authorizing official for this system. + The authorizing official's designated point of contact (POC) for this system. + The executive ultimately accountable for the system. + The primary management-level point of contact (POC) for the system. + The primary technical point of contact (POC) for the system. + Other point of contact (POC) for the system that is not the management or technical POC. + The primary role responsible for ensuring the organization operates the system securely. + The point of contact (POC) responsible for identifying privacy information within the system, and ensuring its protection if present. + +
+
+ + System Information + Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60. + + + + + + + + + Information Type + Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60. + + + Information Type Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + title field + A human readable name for the information type. This title should be meaningful within the context of the system. + + + Information Type Description + A summary of how this information type is used within the system. + + + + Information Type Categorization + A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60. + + + Information Type Identification System + Specifies the information type identification system used. + + + Based on the section identifiers in NIST Special Publication 800-60 Volume II Revision 1. + + + +

This value must be an absolute URI that serves as a naming system identifier.

+
+
+ + + + Information Type Systematized Identifier + + A human-oriented, globally unique identifier qualified by the given identification system used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + id + + + +
+ + + + + + + + Confidentiality Impact Level + The expected level of impact resulting from the unauthorized disclosure of the described information. + confidentiality-impact + + + Integrity Impact Level + The expected level of impact resulting from the unauthorized modification of the described information. + integrity-impact + + + Availability Impact Level + The expected level of impact resulting from the disruption of access to or use of the described information or the information system. + availability-impact + +
+ + + It is a best practice to provide a UUID. + + +
+
+ + + Is this a privacy sensitive system? yes or no + + + The system is privacy sensitive. + The system is not privacy sensitive. + + + A link to the privacy impact assessment. + + + + + + + + + A 'low' sensitivity level as defined in FIPS-199. + + A 'moderate' sensitivity level as defined in FIPS-199. + + A 'high' sensitivity level as defined in FIPS-199. + + +

FIPS-199 taxonomy is provided here as a starting point. We will provide other taxonomies based on community requests.

+
+
+
+
+ + Impact Level + The expected level of impact resulting from the described information. + + + + + + + + + + + + + + Base Level (Confidentiality, Integrity, or Availability) + The prescribed base (Confidentiality, Integrity, or Availability) security impact level. + + + Selected Level (Confidentiality, Integrity, or Availability) + The selected (Confidentiality, Integrity, or Availability) security impact level. + + + Adjustment Justification + If the selected security level is different from the base security level, this contains the justification for the change. + + + Security Impact Level + The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information. + + + + Security Objective: Confidentiality + A target-level of confidentiality for the system, based on the sensitivity of information within the system. + + + Security Objective: Integrity + A target-level of integrity for the system, based on the sensitivity of information within the system. + + + Security Objective: Availability + A target-level of availability for the system, based on the sensitivity of information within the system. + + + + + Status + Describes the operational status of the system. + + State + The current operating status. + + + The system is currently operating in production. + The system is being designed, developed, or implemented + The system is undergoing a major change, development, or transition. + The system is no longer operational. + Some other state. + + + + + + + +

If 'other' is selected, a remark must be included to describe the current state.

+
+
+ + System Authorization Date + The date the system received its authorization. + + + Authorization Boundary + A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary. + + + Authorization Boundary Description + A summary of the system's authorization boundary. + + + + + + + + + + + +

A visual depiction of the system's authorization boundary.

+
+
+ +
+ + + + +

A given uuid must be assigned only once to a diagram.

+
+
+
+
+ + Diagram + A graphic that provides a visual representation the system, or some aspect of it. + + Diagram ID + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Diagram Description + A summary of the diagram. + +

This description is intended to be used as alternate text to support compliance with requirements from Section 508 of the United States Workforce Rehabilitation Act of 1973. +

+
+
+ + + + + + + + Caption + A brief caption to annotate the diagram. + + +
+ + + A reference to the diagram image. + + + + + + + + +

A diagram must include a link with a rel value of "diagram", who's href references a remote URI or an internal reference within this document containing the diagram.

+
+ + +

The internal reference "#diagram1" points to an attached resource defined in the back-matter as a resource. The media-type indicates that the image is a Portable Network Graphics (PNG) image.

+
+ + A boundary diagram. + + +
+
+ + Network Architecture + A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture. + + + Network Architecture Description + A summary of the system's network architecture. + + + + + + + + + + + + + + + + + +

A given uuid must be assigned only once to a diagram.

+
+
+
+
+ + Data Flow + A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows. + + + Data Flow Description + A summary of the system's data flow. + + + + + + + + + + + + + + + + + +

A given uuid must be assigned only once to a diagram.

+
+
+
+
+ + + + + System Implementation + Provides information as to how the system is implemented. + + + + + + + + + + Leveraged Authorization + A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider. + + + Leveraged Authorization Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + title field + A human readable name for the leveraged authorization in the context of the system. + + + + + + + + + party-uuid field + + A machine-oriented identifier reference to the party that manages the leveraged system. + + + + + + + A reference to the system security plan for the leveraged authorization. + + + + + + + + + + user + + + + component + + + + + + +

A set of inventory-item entries that represent the managed inventory instances of the system.

+
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The component allows an authenticated scan. + The component does not allow an authenticated scan. + + + + + +

A given uuid must be assigned only once to a user.

+
+
+
+
+ + Control Implementation + Describes how the system satisfies a set of controls. + + + Control Implementation Description + A statement describing important things to know about how this set of control satisfaction documentation is approached. + + + + + + + + + + + + +

Since multiple set-parameter entries can be provided, each parameter must be set only once.

+
+
+ + + +
+ +

Use of set-parameter in this context, sets the parameter for all controls referenced by any implemented-requirement contained in this context. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

+
+
+ + Control-based Requirement + Describes how the system satisfies the requirements of an individual control. + + Control Requirement Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + + + + + + + + + + + + + + + + + + + + + + + + + Identifies the source of the implemented control. Any control-origination prop defined in a child context will override the parent value. + + + The control is implemented by the organization owning the system, but is not specific to the system itself. + The control is implemented specifically to this system. + The control is provided by the system, but must be configured by the customer. + The control must be implemented by the customer. + This control is inherited from an underlying system. + + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + + Members of the security operations center (SOC). + + Members of the network operations center (NOC). + Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions. + Responsible for providing information and support to users. + + Responsible for the configuration management processes governing changes to the asset. + + + + + + + + + +

Since all implementation statements are defined at the by-component level (e.g., type=this-system), there must be at least one by-component.

+
+
+ + + +

Since multiple set-parameter entries can be provided, each parameter must be set only once.

+
+
+ + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+ + + +

Since statement entries can be referenced using the statement's statement-id, each statement must be referenced only once.

+
+
+ + + +

Since by-component can reference component entries using the component's uuid, each component must be referenced only once. This ensures that all implementation statements are contained in the same by-component entry.

+
+
+
+ +

Use of set-parameter in this context, sets the parameter for the referenced control. Any set-parameter defined in a child context will override this value. If not overridden by a child, this value applies in the child context.

+
+
+ + Specific Control Statement + Identifies which statements within a control are addressed. + + +

A reference to the specific implemented statement associated with a control.

+
+
+ + Control Statement Reference Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). + + + + + + + + + + + + + + + + + + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + + Members of the security operations center (SOC). + + Members of the network operations center (NOC). + Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions. + Responsible for providing information and support to users. + + Responsible for the configuration management processes governing changes to the asset. + + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+ + + +

Since by-component can reference component entries using the component's uuid, each component must be referenced only once. This ensures that all implementation statements are contained in the same by-component entry.

+
+
+
+
+ + + Component Control Implementation + Defines how the referenced component implements a set of controls. + + Component Universally Unique Identifier Reference + + A machine-oriented identifier reference to the component that is implementing a given control. + + + By-Component Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Control Implementation Description + An implementation statement that describes how a control or a control statement is implemented within the referenced system component. + + + + + + + + + + + + +

The implementation-status is used to qualify the status value to indicate the degree to which the control is implemented.

+
+
+ + Export + Identifies content intended for external consumption, such as with leveraged organizations. + + + Control Implementation Export Description + An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system. + + + + + + + + + + Provided Control Implementation + Describes a capability which may be inherited by a leveraging system. + + + + Provided Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + Provided Control Implementation Description + An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system. + + + + + + + + + + + + + + + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ + Control Implementation Responsibility + Describes a control implementation responsibility imposed on a leveraging system. + + + Responsibility Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + + Control Implementation Responsibility Description + An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system. + + + + + + + + + + + +

A role defined at the by-component level takes precedence over the same role defined on the parent implemented-requirement or on the referenced component.

+
+
+ +
+ + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ +
+ + + + + + +
+ + Inherited Control Implementation + Describes a control implementation inherited by a leveraging system. + + + + Inherited Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + + Inherited Control Implementation Description + An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system. + + + + + + + + + + + + + + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ + Satisfied Control Implementation Responsibility + Describes how this system satisfies a responsibility imposed by a leveraged system. + + + + Satisfied Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + + + + + Satisfied Control Implementation Responsibility Description + An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system. + + + + + + + + + + + + + + + + + +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

+
+
+
+
+ + + + + +
+ + + + The hyperlink identifies a URI pointing to the component in a component-definition that originally described the component this component was based on. + A reference to the UUID of a control or statement by-component object that is used as evidence of implementation. + + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + + Members of the security operations center (SOC). + + Members of the network operations center (NOC). + Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions. + Responsible for providing information and support to users. + + Responsible for the configuration management processes governing changes to the asset. + Responsible for the creation and maintenance of a component. + Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller). + + + + +

Since multiple set-parameter entries can be provided, each parameter must be set only once.

+
+
+ + + +
+ +

Use of set-parameter in this context, sets the parameter for the control referenced in the containing implemented-requirement applied to the referenced component. If the by-component is used as a child of a statement, then the parameter value also applies only in the context of the referenced statement. If the same parameter is also set in the control-implementation or a specific implemented-requirement, then this by-component/set-parameter value will override the other value(s) in the context of the referenced component, control, and statement (if parent).

+
+
+ + Provided UUID + + A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system. + + + Responsibility UUID + + A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system. + +
diff --git a/scripts/download_oscal.py b/scripts/download_oscal.py new file mode 100755 index 000000000..a2a841a87 --- /dev/null +++ b/scripts/download_oscal.py @@ -0,0 +1,187 @@ +#!/usr/bin/env python3 +""" +Download OSCAL release schemas and metaschemas. + +This script downloads OSCAL JSON schemas and metaschemas from the official +NIST OSCAL GitHub releases. By default, it downloads the latest release, +but you can specify a specific version. + +Usage: + python3 scripts/download_oscal.py [--version VERSION] + +Examples: + python3 scripts/download_oscal.py # Download latest + python3 scripts/download_oscal.py --version 1.2.1 # Download v1.2.1 + python3 scripts/download_oscal.py --version 1.1.2 # Download v1.1.2 +""" + +import argparse +import json +import shutil +import sys +import tempfile +import urllib.request +import urllib.error +import zipfile +from pathlib import Path + + +def get_latest_version(): + """Get the latest OSCAL release version from GitHub API.""" + api_url = 'https://api.github.com/repos/usnistgov/OSCAL/releases/latest' + + try: + with urllib.request.urlopen(api_url) as response: # noqa: S310 + data = json.loads(response.read().decode()) + tag_name = data.get('tag_name', '') + # Remove 'v' prefix if present + version = tag_name.lstrip('v') + return version + except Exception as e: + print(f'Error fetching latest version: {e}') + sys.exit(1) + + +def download_oscal(version, output_dir=None): + """ + Download OSCAL release for the specified version. + + Args: + version: OSCAL version to download (e.g., '1.2.2', '1.1.2') + output_dir: Optional output directory (defaults to project root) + """ + # Setup directories + if output_dir is None: + script_dir = Path(__file__).parent + output_dir = script_dir.parent + else: + output_dir = Path(output_dir) + + schemas_dir = output_dir / 'release-schemas' + metaschemas_dir = output_dir / 'release-metaschemas' + + # Create directories if they don't exist + schemas_dir.mkdir(exist_ok=True) + metaschemas_dir.mkdir(exist_ok=True) + + # Download URL + download_url = f'https://github.com/usnistgov/OSCAL/releases/download/v{version}/oscal-{version}.zip' + + # Use secure temporary files + temp_dir = Path(tempfile.gettempdir()) + zip_path = temp_dir / f'oscal-{version}.zip' + extract_path = temp_dir / f'oscal-extract-{version}' + + print(f'Downloading OSCAL v{version}...') + print(f' URL: {download_url}') + + try: + # Download the zip file + with urllib.request.urlopen(download_url) as response, open(zip_path, 'wb') as out_file: # noqa: S310 + shutil.copyfileobj(response, out_file) + + print(f' Downloaded: {zip_path}') + + # Extract the zip file + print('Extracting schemas and metaschemas...') + with zipfile.ZipFile(zip_path, 'r') as zip_ref: + zip_ref.extractall(extract_path) + + # Copy JSON schemas + json_schema_src = extract_path / 'json' / 'schema' + if json_schema_src.exists(): + schema_files = list(json_schema_src.glob('*.json')) + for schema_file in schema_files: + shutil.copy2(schema_file, schemas_dir / schema_file.name) + print(f' Copied {len(schema_files)} JSON schemas to {schemas_dir}') + else: + print(f' Warning: JSON schema directory not found: {json_schema_src}') + + # Copy metaschemas + metaschema_src = extract_path / 'metaschema' + if metaschema_src.exists(): + metaschema_files = list(metaschema_src.glob('*_RESOLVED.xml')) + for metaschema_file in metaschema_files: + shutil.copy2(metaschema_file, metaschemas_dir / metaschema_file.name) + print(f' Copied {len(metaschema_files)} metaschemas to {metaschemas_dir}') + else: + print(f' Warning: Metaschema directory not found: {metaschema_src}') + + # Cleanup + zip_path.unlink() + shutil.rmtree(extract_path) + + print(f'\nSuccessfully downloaded OSCAL v{version}') + print(f' Schemas: {schemas_dir}/ ({len(list(schemas_dir.glob("*.json")))} files)') + print(f' Metaschemas: {metaschemas_dir}/ ({len(list(metaschemas_dir.glob("*_RESOLVED.xml")))} files)') + + except urllib.error.HTTPError as e: + print(f'\nError: Failed to download OSCAL v{version}') + print(f' HTTP Error {e.code}: {e.reason}') + print(f' URL: {download_url}') + print('\nPlease check that the version exists at:') + print(' https://github.com/usnistgov/OSCAL/releases') + sys.exit(1) + except Exception as e: + print(f'\nError: {e}') + # Cleanup on error + if zip_path.exists(): + zip_path.unlink() + if extract_path.exists(): + shutil.rmtree(extract_path) + sys.exit(1) + + +def main(): + parser = argparse.ArgumentParser( + description="""Download OSCAL release schemas and metaschemas. + +This script automatically: + 1. Downloads the OSCAL release zip file from GitHub + 2. Extracts schemas and metaschemas + 3. Copies JSON schemas to release-schemas/ + 4. Copies metaschemas to release-metaschemas/ + 5. Cleans up temporary files +""", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + %(prog)s # Download latest release + %(prog)s --version 1.2.2 # Download specific version + %(prog)s --version 1.1.2 # Download older version + %(prog)s -v 1.2.1 # Short form + +Output directories: + - JSON schemas: release-schemas/ + - Metaschemas: release-metaschemas/ + +Available versions can be found at: + https://github.com/usnistgov/OSCAL/releases + """, + ) + + parser.add_argument( + '--version', '-v', help='OSCAL version to download (e.g., 1.2.2). If not specified, downloads latest.' + ) + + parser.add_argument('--output-dir', '-o', help='Output directory (defaults to project root)') + + args = parser.parse_args() + + # Determine version to download + if args.version: + version = args.version.lstrip('v') # Remove 'v' prefix if present + print(f'Downloading OSCAL v{version} (specified version)') + else: + print('Fetching latest OSCAL release version...') + version = get_latest_version() + print(f'Latest version: {version}') + + # Download OSCAL + download_oscal(version, args.output_dir) + + +if __name__ == '__main__': + main() + +# Made with Bob diff --git a/scripts/extract_oscal_namespace.py b/scripts/extract_oscal_namespace.py new file mode 100755 index 000000000..d3a20820b --- /dev/null +++ b/scripts/extract_oscal_namespace.py @@ -0,0 +1,311 @@ +#!/usr/bin/env python3 +""" +Extract OSCAL namespace constraints from metaschema files. + +This script parses OSCAL metaschema XML files to extract all allowed-values +constraints that define the OSCAL default namespace vocabulary. It generates +a YAML file representing the complete OSCAL namespace structure. +""" + +import xml.etree.ElementTree as ET # noqa: S405 +from pathlib import Path +from collections import defaultdict +import yaml +import re +import sys + +NAMESPACE_YAML_PATH = Path('trestle/resources/oscal_namespace.yaml') + + +def parse_metaschema(file_path): + """Parse a metaschema file and extract OSCAL namespace constraints.""" + tree = ET.parse(file_path) # noqa: S314 + root = tree.getroot() + + # Define namespace + ns = {'m': 'http://csrc.nist.gov/ns/oscal/metaschema/1.0'} + + # Extract document type from short-name + short_name_elem = root.find('m:short-name', ns) + document_type = short_name_elem.text if short_name_elem is not None else 'unknown' + + constraints = [] + + # Find all allowed-values elements with has-oscal-namespace + for allowed_values in root.findall('.//m:allowed-values', ns): + target = allowed_values.get('target', '') + + # Check if this constraint uses has-oscal-namespace + if 'has-oscal-namespace' not in target: + continue + + constraint_id = allowed_values.get('id', '') + allow_other = allowed_values.get('allow-other', 'no') + + # Find the parent assembly or field that contains this constraint + parent_context = None + for assembly in root.findall('.//m:define-assembly', ns): + if allowed_values in list(assembly.iter()): + parent_context = assembly.get('name') + break + if parent_context is None: + for field in root.findall('.//m:define-field', ns): + if allowed_values in list(field.iter()): + parent_context = field.get('name') + break + + # Extract the target path and attribute + # Examples: + # prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name + # prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value + # .[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')] - field value constraint + + # Parse target to extract context and attribute + target_match = re.search(r'([^[]+)\[has-oscal-namespace\([^)]+\)([^\]]*)\]/@(\w+)', target) + if not target_match: + # Try simpler pattern for targets like ".[has-oscal-namespace(...)]" + # This is a field value constraint, need to find the parent field/flag name + target_match = re.search(r'\.\[has-oscal-namespace\([^)]+\)\]', target) + if target_match: + # Find the parent define-field or define-flag element + parent = allowed_values + field_name = None + while parent is not None: + if parent.tag.endswith('define-field') or parent.tag.endswith('define-flag'): + field_name = parent.get('name') + break + parent = parent.find('..') # This won't work with ElementTree + # Need to search from root instead + break + + # Alternative: search for parent in the tree + if field_name is None: + # Find all define-field and define-flag elements that contain this allowed-values + for define_elem in root.findall('.//m:define-field', ns): + if allowed_values in define_elem.iter(): + field_name = define_elem.get('name') + break + if field_name is None: + for define_elem in root.findall('.//m:define-flag', ns): + if allowed_values in define_elem.iter(): + field_name = define_elem.get('name') + break + + if field_name: + element = field_name + conditions = '' + attribute = '' # Empty means it's the field value itself, not an attribute + else: + # Fallback to "." if we can't find the parent + element = '.' + conditions = '' + attribute = '' + else: + continue + else: + element = target_match.group(1).strip() + conditions = target_match.group(2).strip() + attribute = target_match.group(3) + + # Prepend parent context if found and element is not already a path + if parent_context and '/' not in element and element != '.': + element = f'{parent_context}/{element}' + + # Extract namespace from target + ns_match = re.search(r"has-oscal-namespace\('([^']+)'\)", target) + namespace = ns_match.group(1) if ns_match else 'http://csrc.nist.gov/ns/oscal' + + # Extract additional conditions (like @name='type') + condition_dict = {} + if conditions: + cond_matches = re.findall(r"@(\w+)='([^']+)'", conditions) + for cond_name, cond_value in cond_matches: + condition_dict[cond_name] = cond_value + + # Extract enum values + enums = [] + for enum in allowed_values.findall('m:enum', ns): + value = enum.get('value', '') + deprecated = enum.get('deprecated', '') + description = ''.join(enum.itertext()).strip() + # Remove the value from the description + if description.startswith(value): + description = description[len(value) :].strip() + + enum_data = {'value': value, 'description': description} + if deprecated: + enum_data['deprecated'] = deprecated + + enums.append(enum_data) + + constraint = { + 'id': constraint_id, + 'file': file_path.name, + 'document_type': document_type, + 'target': target, + 'element': element, + 'attribute': attribute, + 'namespace': namespace, + 'allow_other': allow_other == 'yes', + 'enums': enums, + } + + if condition_dict: + constraint['conditions'] = condition_dict + + constraints.append(constraint) + + return constraints + + +def organize_constraints(all_constraints): + """Organize constraints into a hierarchical structure by document type.""" + organized = defaultdict(lambda: defaultdict(lambda: defaultdict(lambda: defaultdict(list)))) + + for constraint in all_constraints: + element = constraint['element'] + attribute = constraint['attribute'] + namespace = constraint['namespace'] + document_type = constraint['document_type'] + + # Create a key for grouping + if constraint.get('conditions'): + # This is a conditional constraint (e.g., prop with name='type') + cond_str = ', '.join(f'{k}={v}' for k, v in constraint['conditions'].items()) + if attribute: + key = f'{element}[@{attribute}] where {cond_str}' + else: + key = f'{element} where {cond_str}' + else: + # This is a simple constraint + if attribute: + key = f'{element}[@{attribute}]' + else: + # Field value constraint (no attribute) + key = element + + organized[namespace][document_type][element][key].append(constraint) + + return organized + + +def generate_yaml_output(organized_constraints): + """Generate YAML representation of the OSCAL namespace.""" + output = { + 'oscal_namespace': { + 'version': '1.2.2', + 'description': 'OSCAL default namespace vocabulary extracted from metaschemas', + 'namespaces': {}, + } + } + + for namespace, document_types in sorted(organized_constraints.items()): + ns_data = {} + + for document_type, elements in sorted(document_types.items()): + doc_data = {} + + for element, constraints_by_key in sorted(elements.items()): + element_data = {} + + for key, constraints in sorted(constraints_by_key.items()): + # Merge constraints with the same key + merged_enums = [] + seen_values = set() + allow_other = False + constraint_ids = [] + files = set() + + for constraint in constraints: + # Deduplicate enums by value + for enum in constraint['enums']: + if enum['value'] not in seen_values: + merged_enums.append(enum) + seen_values.add(enum['value']) + allow_other = allow_other or constraint['allow_other'] + constraint_ids.append(constraint['id']) + files.add(constraint['file']) + + constraint_data = { + 'allowed_values': [e['value'] for e in merged_enums], + 'allow_other': allow_other, + 'definitions': merged_enums, + 'constraint_ids': constraint_ids, + 'source_files': sorted(files), + } + + # Add conditions if present + if constraints[0].get('conditions'): + constraint_data['conditions'] = constraints[0]['conditions'] + + element_data[key] = constraint_data + + doc_data[element] = element_data + + ns_data[document_type] = doc_data + + output['oscal_namespace']['namespaces'][namespace] = ns_data + + return output + + +def main(): + """Main function to extract OSCAL namespace from metaschemas.""" + # Get the metaschemas directory + script_dir = Path(__file__).parent + project_root = script_dir.parent + metaschemas_dir = project_root / 'release-metaschemas' + + if not metaschemas_dir.exists(): + print(f'Error: Metaschemas directory not found: {metaschemas_dir}') + print("Please run 'make download-oscal' first.") + sys.exit(1) + + # Find all metaschema files, excluding the complete metaschema to avoid duplication + metaschema_files = [f for f in metaschemas_dir.glob('oscal_*_metaschema_RESOLVED.xml') if 'complete' not in f.name] + + if not metaschema_files: + print(f'Error: No metaschema files found in {metaschemas_dir}') + sys.exit(1) + + print(f'Found {len(metaschema_files)} metaschema files (excluding complete)') + + # Parse all metaschemas + all_constraints = [] + for metaschema_file in sorted(metaschema_files): + print(f'Parsing {metaschema_file.name}...') + constraints = parse_metaschema(metaschema_file) + all_constraints.extend(constraints) + print(f' Found {len(constraints)} OSCAL namespace constraints') + + print(f'\nTotal constraints found: {len(all_constraints)}') + + # Organize constraints + organized = organize_constraints(all_constraints) + + # Generate YAML output + output = generate_yaml_output(organized) + + # Write to file + output_file = project_root / NAMESPACE_YAML_PATH + output_file.parent.mkdir(parents=True, exist_ok=True) + with open(output_file, 'w') as f: + yaml.dump(output, f, default_flow_style=False, sort_keys=False, width=120) + + print(f'\nOSCAL namespace written to: {output_file}') + + # Print summary + print('\nSummary:') + for namespace, document_types in sorted(organized.items()): + print(f'\n Namespace: {namespace}') + for document_type, elements in sorted(document_types.items()): + print(f' Document Type: {document_type}') + for element in sorted(elements.keys()): + constraint_count = sum(len(c) for c in elements[element].values()) + print(f' {element}: {constraint_count} constraint(s)') + + +if __name__ == '__main__': + main() + +# Made with Bob diff --git a/scripts/get_oscal_values.py b/scripts/get_oscal_values.py new file mode 100755 index 000000000..f2e44f128 --- /dev/null +++ b/scripts/get_oscal_values.py @@ -0,0 +1,396 @@ +#!/usr/bin/env python3 +""" +Query OSCAL namespace for valid values. + +This script queries the oscal_namespace.yaml file to retrieve allowed values +for a given OSCAL path and optionally an attribute. + +Usage: + python3 scripts/get_oscal_values.py [attribute] + +Examples: + # Attribute constraints: + python3 scripts/get_oscal_values.py catalog.part.prop name + python3 scripts/get_oscal_values.py component.prop name + python3 scripts/get_oscal_values.py prop value --condition name=type + + # Field value constraints: + python3 scripts/get_oscal_values.py mapping-collection.mappings.maps.relationship + python3 scripts/get_oscal_values.py relationship +""" + +import yaml +import sys +import argparse +from pathlib import Path + +NAMESPACE_YAML_PATH = Path('trestle/resources/oscal_namespace.yaml') + + +def load_namespace_data(yaml_file): + """Load the OSCAL namespace YAML file.""" + if not yaml_file.exists(): + print(f'Error: {yaml_file} not found.') + print("Please run 'python3 scripts/extract_oscal_namespace.py' first.") + sys.exit(1) + + with open(yaml_file, 'r') as f: + return yaml.safe_load(f) + + +def normalize_path(path): + """ + Normalize a path to extract document type and element. + + Supports: + - Full metaschema names: oscal-catalog, oscal-mapping-common + - Short metaschema names: catalog, mapping-common (adds oscal- prefix) + - User-friendly aliases: mapping, mapping-collection -> oscal-mapping-common + + Examples: + 'catalog.metadata.prop' -> ('oscal-catalog', 'prop') + 'mapping.relationship' -> ('oscal-mapping-common', 'relationship') + 'mapping-collection.relationship' -> ('oscal-mapping-common', 'relationship') + + Returns: + Tuple of (document_type, element) + - document_type: Full oscal- prefixed metaschema name or None + - element: The final element name + """ + parts = path.split('.') + + if len(parts) > 1: + first_part = parts[0] + + # User-friendly aliases that map to actual metaschema document types + # These handle cases where the user-facing name differs from internal organization + aliases = { + 'mapping': 'oscal-mapping-common', + 'mapping-collection': 'oscal-mapping-common', + 'oscal-mapping': 'oscal-mapping-common', + 'component': 'oscal-component-definition', + 'oscal-component': 'oscal-component-definition', + } + + if first_part in aliases: + document_type = aliases[first_part] + elif first_part.startswith('oscal-'): + # Already has oscal- prefix, use as-is + document_type = first_part + else: + # Add oscal- prefix + document_type = f'oscal-{first_part}' + + element = parts[-1] + else: + document_type = None + element = parts[-1] + + return document_type, element + + +def get_included_document_types(document_type): + """ + Get list of document types that should be included when querying a specific document type. + This includes the document type itself plus any common modules it imports. + + Args: + document_type: The main document type (e.g., 'oscal-catalog') + + Returns: + List of document types to search (e.g., ['oscal-catalog', 'oscal-control-common', 'oscal-metadata']) + """ + if not document_type: + return None + + # Mapping of main document types to their included common modules + # Based on actual metaschema import statements + includes = { + 'oscal-catalog': ['oscal-catalog', 'oscal-control-common', 'oscal-metadata'], + 'oscal-profile': ['oscal-profile', 'oscal-metadata', 'oscal-control-common'], + 'oscal-component-definition': ['oscal-component-definition', 'oscal-implementation-common'], + 'oscal-ssp': ['oscal-ssp', 'oscal-metadata', 'oscal-implementation-common'], + 'oscal-ap': ['oscal-ap', 'oscal-metadata', 'oscal-assessment-common'], + 'oscal-ar': ['oscal-ar', 'oscal-metadata', 'oscal-assessment-common'], + 'oscal-poam': ['oscal-poam', 'oscal-metadata', 'oscal-implementation-common', 'oscal-assessment-common'], + 'oscal-mapping-common': ['oscal-mapping-common', 'oscal-metadata'], + # Common modules can be queried directly + 'oscal-control-common': ['oscal-control-common'], + 'oscal-implementation-common': ['oscal-implementation-common'], + 'oscal-assessment-common': ['oscal-assessment-common'], + 'oscal-metadata': ['oscal-metadata'], + } + + return includes.get(document_type, [document_type]) + + +def find_matching_constraints( + namespace_data, element, attribute, namespace_uri=None, conditions=None, document_type=None, constraint_key=None +): + """ + Find constraints matching the given element and attribute. + + Args: + namespace_data: Loaded YAML data + element: Element name (e.g., 'prop', 'part', 'relationship') + attribute: Attribute name (e.g., 'name', 'value') or empty string for field value constraints + namespace_uri: Optional namespace URI to filter by + conditions: Optional dict of conditions (e.g., {'name': 'type'}) + document_type: Optional document type to filter by (e.g., 'oscal-catalog', 'oscal-ssp') + constraint_key: Optional exact constraint key to match (e.g., 'metadata/prop[@name]') + When provided, only returns exact matches for this constraint + + Returns: + List of matching constraints with their allowed values + """ + namespaces = namespace_data['oscal_namespace']['namespaces'] + + # Default to OSCAL namespace if not specified + if namespace_uri is None: + namespace_uri = 'http://csrc.nist.gov/ns/oscal' + + if namespace_uri not in namespaces: + return [] + + ns_data = namespaces[namespace_uri] + matches = [] + + # Get list of document types to search (includes common modules) + doc_types_to_search = get_included_document_types(document_type) if document_type else None + + # Iterate through document types + for doc_type, doc_data in ns_data.items(): + # Filter by document type if specified + if doc_types_to_search and doc_type not in doc_types_to_search: + continue + + # Search through all elements in this document type + for elem_key, elem_data in doc_data.items(): + # If exact constraint_key is specified, we need to match the full elem_key + if constraint_key: + # Extract the element path from constraint_key (e.g., 'metadata/prop' from 'metadata/prop[@name]') + # The elem_key in the YAML is the hierarchical path (e.g., 'metadata/prop') + if '[@' in constraint_key: + expected_elem_key = constraint_key.split('[@')[0] + else: + expected_elem_key = constraint_key + + # Skip if elem_key doesn't match + if elem_key != expected_elem_key: + continue + else: + # No exact constraint_key specified, use fuzzy matching + # elem_key could be 'prop', 'part', 'metadata/prop', 'relationship', etc. + if element not in elem_key: + continue + + # Search through constraints for this element + for ck, constraint_data in elem_data.items(): + # ck format examples: + # - "prop[@name]" + # - "prop[@value] where name=type" + # - "relationship" (field value constraint, no attribute) + + # If exact constraint_key is specified, only match that exact constraint + if constraint_key and ck != constraint_key: + continue + + # Check if this is a field value constraint (no attribute) + if not attribute or attribute == 'value': + # For field value constraints, the ck could be: + # - Just the element name (e.g., 'relationship') + # - A hierarchical path (e.g., 'map/relationship') + # Match if ck equals element OR if ck ends with element + if ck == element or (ck == elem_key and elem_key.endswith('/' + element)): + matches.append( + { + 'element_key': elem_key, + 'constraint_key': ck, + 'allowed_values': constraint_data['allowed_values'], + 'allow_other': constraint_data['allow_other'], + 'definitions': constraint_data['definitions'], + 'source_files': constraint_data['source_files'], + 'document_type': doc_type, + } + ) + continue + + # Check if attribute matches (for attribute constraints) + if attribute and f'[@{attribute}]' not in ck: + continue + + # Check conditions if specified + if conditions: + # Parse conditions from ck + if 'where' in ck: + constraint_conditions = constraint_data.get('conditions', {}) + if not all(constraint_conditions.get(k) == v for k, v in conditions.items()): + continue + else: + # Conditions specified but constraint has none + continue + else: + # No conditions specified, prefer constraints without conditions + if 'where' in ck: + continue + + matches.append( + { + 'element_key': elem_key, + 'constraint_key': ck, + 'allowed_values': constraint_data['allowed_values'], + 'allow_other': constraint_data['allow_other'], + 'definitions': constraint_data['definitions'], + 'source_files': constraint_data['source_files'], + 'document_type': doc_type, + } + ) + + return matches + + +def format_output(matches, verbose=False): + """Format the output for display.""" + if not matches: + return 'No matching constraints found.' + + output = [] + + for i, match in enumerate(matches): + if len(matches) > 1: + doc_type = match.get('document_type', 'unknown') + output.append(f'\n=== Match {i + 1}: {match["constraint_key"]} (Document: {doc_type}) ===') + + output.append(f'Allowed values ({len(match["allowed_values"])}):') + for value in match['allowed_values']: + output.append(f' - {value}') + + if match['allow_other']: + output.append(' (other values are also allowed)') + + if verbose: + output.append('\nSource files:') + for source in match['source_files']: + output.append(f' - {source}') + + output.append('\nDefinitions:') + for defn in match['definitions']: + deprecated = f' [DEPRECATED: {defn["deprecated"]}]' if 'deprecated' in defn else '' + output.append(f' - {defn["value"]}{deprecated}') + if defn['description']: + # Wrap long descriptions + desc = defn['description'].replace('\n', ' ').strip() + if len(desc) > 80: + desc = desc[:77] + '...' + output.append(f' {desc}') + + return '\n'.join(output) + + +def main(): + parser = argparse.ArgumentParser( + description='Query OSCAL namespace for valid values', + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + %(prog)s catalog.part.prop name + %(prog)s component.prop name + %(prog)s prop value --condition name=type + %(prog)s prop name --verbose + %(prog)s catalog.parameter.prop name --document-type catalog + %(prog)s mapping-collection.mappings.maps.relationship + +Available Document Types: + Main OSCAL Models: + catalog, profile, component, ssp, ap, ar, poam, oscal-mapping, mapping, mapping-collection + (or with oscal- prefix: oscal-catalog, oscal-profile, etc.) + + Common Modules: + oscal-control-common, oscal-implementation-common, oscal-assessment-common, oscal-metadata + +Note: When specifying a document type, constraints from imported common + modules (control-common, implementation-common, assessment-common, + metadata) are automatically included. + """, + ) + + parser.add_argument('path', help='OSCAL path (e.g., catalog.part.prop, relationship)') + parser.add_argument( + 'attribute', nargs='?', default='', help='Attribute name (e.g., name, value). Omit for field value constraints.' + ) + parser.add_argument( + '--condition', '-c', action='append', help='Condition in format key=value (can be specified multiple times)' + ) + parser.add_argument( + '--namespace', '-n', default='http://csrc.nist.gov/ns/oscal', help='Namespace URI (default: OSCAL namespace)' + ) + parser.add_argument('--document-type', '-d', help='Filter by document type (includes imported common modules)') + parser.add_argument('--constraint-key', '-k', help='Exact constraint key to match (e.g., metadata/prop[@name])') + parser.add_argument('--verbose', '-v', action='store_true', help='Show detailed information including descriptions') + parser.add_argument('--json', '-j', action='store_true', help='Output as JSON') + + args = parser.parse_args() + + # Parse conditions + conditions = {} + if args.condition: + for cond in args.condition: + if '=' not in cond: + print(f"Error: Invalid condition format '{cond}'. Use key=value") + sys.exit(1) + key, value = cond.split('=', 1) + conditions[key.strip()] = value.strip() + + # Load namespace data + script_dir = Path(__file__).parent + project_root = script_dir.parent + yaml_file = project_root / NAMESPACE_YAML_PATH + + namespace_data = load_namespace_data(yaml_file) + + # Normalize path to get document type and element + document_type, element = normalize_path(args.path) + + # Override document_type if explicitly provided + if args.document_type: + document_type = args.document_type + + # Find matching constraints + matches = find_matching_constraints( + namespace_data, + element, + args.attribute, + args.namespace, + conditions if conditions else None, + document_type, + args.constraint_key, + ) + + # Output results + if args.json: + import json + + result = { + 'path': args.path, + 'element': element, + 'attribute': args.attribute, + 'namespace': args.namespace, + 'conditions': conditions if conditions else None, + 'matches': matches, + } + print(json.dumps(result, indent=2)) + else: + print(f'Query: {args.path} [@{args.attribute}]') + if document_type: + print(f'Document Type: {document_type}') + if conditions: + print(f'Conditions: {conditions}') + print(f'Namespace: {args.namespace}') + print() + print(format_output(matches, args.verbose)) + + +if __name__ == '__main__': + main() + +# Made with Bob diff --git a/scripts/oscal_namespace_query.py b/scripts/oscal_namespace_query.py new file mode 100755 index 000000000..94d2d8079 --- /dev/null +++ b/scripts/oscal_namespace_query.py @@ -0,0 +1,320 @@ +#!/usr/bin/env python3 +""" +Query and test OSCAL namespace constraints. + +This script reads the oscal_namespace.yaml file and tests all OSCAL namespace +constraints, displaying the results to the console. It can test all constraints +or filter by document type. + +Usage: + python scripts/oscal_namespace_query.py [--document-type TYPE] + +Examples: + python scripts/oscal_namespace_query.py + python scripts/oscal_namespace_query.py --document-type catalog + python scripts/oscal_namespace_query.py --document-type component +""" + +import yaml +import subprocess +import sys +import argparse +from pathlib import Path +from collections import defaultdict + +NAMESPACE_YAML_PATH = Path('trestle/resources/oscal_namespace.yaml') + + +def load_namespace_data(yaml_file): + """Load the OSCAL namespace YAML file.""" + if not yaml_file.exists(): + print(f'Error: {yaml_file} not found.') + print("Please run 'python3 scripts/extract_oscal_namespace.py' first.") + sys.exit(1) + + with open(yaml_file, 'r') as f: + return yaml.safe_load(f) + + +def get_included_document_types(document_type): + """ + Get list of document types that should be included when testing a specific document type. + This includes the document type itself plus any common modules it imports. + """ + if not document_type: + return None + + includes = { + 'oscal-catalog': ['oscal-catalog', 'oscal-control-common', 'oscal-metadata'], + 'oscal-profile': ['oscal-profile', 'oscal-metadata', 'oscal-control-common'], + 'oscal-component-definition': ['oscal-component-definition', 'oscal-implementation-common'], + 'oscal-ssp': ['oscal-ssp', 'oscal-metadata', 'oscal-implementation-common'], + 'oscal-ap': ['oscal-ap', 'oscal-metadata', 'oscal-assessment-common'], + 'oscal-ar': ['oscal-ar', 'oscal-metadata', 'oscal-assessment-common'], + 'oscal-poam': ['oscal-poam', 'oscal-metadata', 'oscal-implementation-common', 'oscal-assessment-common'], + 'oscal-mapping-common': ['oscal-mapping-common', 'oscal-metadata'], + 'oscal-control-common': ['oscal-control-common'], + 'oscal-implementation-common': ['oscal-implementation-common'], + 'oscal-assessment-common': ['oscal-assessment-common'], + 'oscal-metadata': ['oscal-metadata'], + } + + return includes.get(document_type, [document_type]) + + +def extract_queries(namespace_data, filter_document_type=None): + """ + Extract all possible queries from the namespace data. + + Args: + namespace_data: Loaded YAML data + filter_document_type: Optional document type to filter by (e.g., 'oscal-catalog') + When specified, includes constraints from imported common modules + + Returns: + List of query dictionaries + """ + queries = [] + namespaces = namespace_data['oscal_namespace']['namespaces'] + + # Get list of document types to include (main type + common modules) + doc_types_to_include = get_included_document_types(filter_document_type) if filter_document_type else None + + for namespace_uri, ns_data in namespaces.items(): + for document_type, doc_data in ns_data.items(): + # Filter by document type if specified (includes common modules) + if doc_types_to_include and document_type not in doc_types_to_include: + continue + + for _element, elem_data in doc_data.items(): + for constraint_key, constraint_data in elem_data.items(): + # Parse the constraint_key to extract element, attribute, and conditions + # Examples: + # - "prop[@name]" + # - "prop[@value] where name=type" + # - "relationship" (field value constraint) + + if '[@' in constraint_key: + # Attribute constraint + parts = constraint_key.split('[@') + elem = parts[0].strip() + rest = parts[1] + + if ']' in rest: + attr = rest.split(']')[0] + + # Check for conditions + conditions = [] + if 'where' in constraint_key: + cond_part = constraint_key.split('where')[1].strip() + # Parse conditions like "name=type, class=value" + for cond in cond_part.split(','): + cond = cond.strip() + if '=' in cond: + conditions.append(cond) + + queries.append( + { + 'namespace': namespace_uri, + 'document_type': document_type, + 'element': elem, + 'attribute': attr, + 'conditions': conditions, + 'constraint_key': constraint_key, + 'num_values': len(constraint_data['allowed_values']), + 'allow_other': constraint_data['allow_other'], + } + ) + else: + # Field value constraint (no attribute) + queries.append( + { + 'namespace': namespace_uri, + 'document_type': document_type, + 'element': constraint_key, + 'attribute': '', + 'conditions': [], + 'constraint_key': constraint_key, + 'num_values': len(constraint_data['allowed_values']), + 'allow_other': constraint_data['allow_other'], + } + ) + + return queries + + +def run_query( + script_path, element, attribute='', conditions=None, namespace=None, document_type=None, constraint_key=None +): + """ + Run the get_oscal_values.py script with the given parameters. + + Args: + script_path: Path to get_oscal_values.py + element: Element name (e.g., 'prop') + attribute: Attribute name (e.g., 'name') + conditions: List of condition strings (e.g., ['name=type']) + namespace: Namespace URI + document_type: Document type (e.g., 'oscal-catalog') + constraint_key: Full constraint key for exact matching (e.g., 'metadata/prop[@name]') + + Returns: + Tuple of (success, output) + """ + cmd = ['python3', str(script_path), element] + + if attribute: + cmd.append(attribute) + + if conditions: + for cond in conditions: + cmd.extend(['--condition', cond]) + + if namespace: + cmd.extend(['--namespace', namespace]) + + if document_type: + cmd.extend(['--document-type', document_type]) + + if constraint_key: + cmd.extend(['--constraint-key', constraint_key]) + + try: + result = subprocess.run(cmd, capture_output=True, text=True, timeout=10) + return (result.returncode == 0, result.stdout) + except subprocess.TimeoutExpired: + return (False, 'Query timed out') + except Exception as e: + return (False, f'Error: {str(e)}') + + +def main(): + """Main test driver function.""" + # Parse command-line arguments + parser = argparse.ArgumentParser( + description='Query and test OSCAL namespace constraints', + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + %(prog)s + %(prog)s --document-type oscal-catalog + %(prog)s --document-type catalog + %(prog)s --document-type component + +Available Document Types: + Main OSCAL Models: + oscal-catalog, catalog + oscal-profile, profile + oscal-component-definition, component + oscal-ssp, ssp + oscal-ap, ap + oscal-ar, ar + oscal-poam, poam + oscal-mapping, mapping, mapping-collection + + Common Modules (automatically included in main models): + oscal-control-common + oscal-implementation-common + oscal-assessment-common + oscal-metadata + +Note: When querying a main model, constraints from its imported common + modules are automatically included. + """, + ) + parser.add_argument('--document-type', '-d', help='Filter tests by document type') + + args = parser.parse_args() + + # Normalize document type with aliases + document_type = args.document_type + if document_type: + aliases = { + 'mapping': 'oscal-mapping-common', + 'mapping-collection': 'oscal-mapping-common', + 'component': 'oscal-component-definition', + } + if document_type in aliases: + document_type = aliases[document_type] + elif not document_type.startswith('oscal-'): + document_type = f'oscal-{document_type}' + + # Setup paths + script_dir = Path(__file__).parent + project_root = script_dir.parent + yaml_file = project_root / NAMESPACE_YAML_PATH + get_values_script = script_dir / 'get_oscal_values.py' + + if not get_values_script.exists(): + print(f'Error: {get_values_script} not found.') + sys.exit(1) + + # Load namespace data + namespace_data = load_namespace_data(yaml_file) + + # Extract all queries (optionally filtered by document type) + queries = extract_queries(namespace_data, document_type) + + # Group queries by namespace + queries_by_ns = defaultdict(list) + for query in queries: + queries_by_ns[query['namespace']].append(query) + + # Run tests + total_tests = 0 + passed_tests = 0 + failed_tests = 0 + + for namespace_uri, ns_queries in sorted(queries_by_ns.items()): + print(f'\n{"=" * 80}') + print(f'Namespace: {namespace_uri}') + print(f'{"=" * 80}\n') + + for i, query in enumerate(sorted(ns_queries, key=lambda x: x['constraint_key']), 1): + total_tests += 1 + + # Use the full constraint_key which includes hierarchical context + # This shows exactly which constraint is being tested (e.g., 'metadata/prop[@name]') + query_desc = query['constraint_key'] + + # Add document type to description + doc_type_desc = f' ({query["document_type"]})' if query.get('document_type') else '' + + print(f'\n[{i}/{len(ns_queries)}] {query_desc}{doc_type_desc}') + print(f' Values: {query["num_values"]}, allow_other={query["allow_other"]}') + + # Run the query with full constraint_key for exact matching + success, output = run_query( + get_values_script, + query['element'], + query['attribute'], + query['conditions'] if query['conditions'] else None, + namespace_uri, + query.get('document_type'), + query['constraint_key'], + ) + + if success: + passed_tests += 1 + + # Extract and display the values from output + lines = output.strip().split('\n') + for line in lines: + if line.strip().startswith('- '): + print(f' {line.strip()}') + else: + failed_tests += 1 + print(' ERROR:') + for line in output.split('\n')[:5]: # Show first 5 lines of error + print(f' {line}') + + # Exit with error code if any tests failed + if failed_tests > 0: + sys.exit(1) + sys.exit(0) + + +if __name__ == '__main__': + main() + +# Made with Bob diff --git a/trestle/resources/oscal_namespace.yaml b/trestle/resources/oscal_namespace.yaml new file mode 100644 index 000000000..5582d7236 --- /dev/null +++ b/trestle/resources/oscal_namespace.yaml @@ -0,0 +1,1747 @@ +oscal_namespace: + version: 1.2.2 + description: OSCAL default namespace vocabulary extracted from metaschemas + namespaces: + http://csrc.nist.gov/ns/oscal: + oscal-ap: + assessment-plan/part: + assessment-plan/part[@name]: + allowed_values: + - rules-of-engagement + - disclosures + - assessment-inclusions + - assessment-exclusions + - results-delivery + - assumptions + - methodology + allow_other: false + definitions: + - value: rules-of-engagement + description: Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques + or actions may be applied to the assessment. + - value: disclosures + description: Any information the assessor should make known to the system owner or authorizing official. Has + child 'item' parts for each individual disclosure. + - value: assessment-inclusions + description: Defines any assessment activities which the system owner or authorizing official wishes to ensure + are performed as part of the assessment. + - value: assessment-exclusions + description: Defines any assessment activities which the system owner or authorizing official explicitly prohibits + from being performed as part of the assessment. + - value: results-delivery + description: Defines conditions related to the delivery of the assessment results, such as when to deliver, + how, and to whom. + - value: assumptions + description: Defines any supposition made by the assessor. Has child 'item' parts for each assumption. + - value: methodology + description: An explanation of practices, procedures, and rules used in the course of the assessment. + constraint_ids: + - oscal-terms-and-conditions-part-name + source_files: + - oscal_assessment-plan_metaschema_RESOLVED.xml + oscal-assessment-common: + '@name=''objective'']/prop': + '@name=''objective'']/prop[@name]': + allowed_values: + - method + allow_other: false + definitions: + - value: method + description: The assessment method to use. This typically appears on parts with the name "objective". + constraint_ids: + - oscal-assesment-part-objective-name + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + '@name=''objective'']/prop[@value] where name=method': + allowed_values: + - INTERVIEW + - EXAMINE + - TEST + allow_other: false + definitions: + - value: INTERVIEW + description: The process of holding discussions with individuals or groups of individuals within an organization + to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + - value: EXAMINE + description: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment + objects (i.e., specifications, mechanisms, or activities). + - value: TEST + description: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under + specified conditions to compare actual with expected behavior. + constraint_ids: + - oscal-assesment-part-objective-method-value + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + conditions: + name: method + activity/prop: + activity/prop[@name]: + allowed_values: + - method + allow_other: false + definitions: + - value: method + description: The assessment method to use. This typically appears on parts with the name "assessment". + constraint_ids: + - oscal-activity-values + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + activity/prop[@value] where name=method: + allowed_values: + - INTERVIEW + - EXAMINE + - TEST + allow_other: false + definitions: + - value: INTERVIEW + description: The process of holding discussions with individuals or groups of individuals within an organization + to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + - value: EXAMINE + description: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment + objects (i.e., specifications, mechanisms, or activities). + - value: TEST + description: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under + specified conditions to compare actual with expected behavior. + constraint_ids: + - oscal-activity-type-values + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + conditions: + name: method + characterization/prop: + characterization/prop[@name]: + allowed_values: + - state + allow_other: false + definitions: + - value: state + description: Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value + has be changed after some adjustments have been made (e.g., to identify residual risk). + constraint_ids: + - oscal-facet-prop-name-values + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + characterization/prop[@value] where name=state: + allowed_values: + - initial + - adjusted + allow_other: false + definitions: + - value: initial + description: As first identified. + - value: adjusted + description: Indicates that residual risk remains after some adjustments have been made. + constraint_ids: + - oscal-facet-prop-state-values + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + conditions: + name: state + local-objective/part: + local-objective/part[@name]: + allowed_values: + - objective + - assessment + - assessment-objective + - assessment-method + allow_other: false + definitions: + - value: objective + description: '**(deprecated)** Use ''assessment-objective'' instead.' + deprecated: 1.0.1 + - value: assessment + description: '**(deprecated)** Use ''assessment-method'' instead.' + deprecated: 1.0.1 + - value: assessment-objective + description: The part defines an assessment objective. + - value: assessment-method + description: The part defines an assessment method. + constraint_ids: + - oscal-assessment-objective-types + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + response/prop: + response/prop[@name]: + allowed_values: + - type + allow_other: false + definitions: + - value: type + description: Risk Response Type + constraint_ids: + - oscal-response-prop-name + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + response/prop[@value] where name=type: + allowed_values: + - avoid + - mitigate + - transfer + - accept + - share + - contingency + - none + allow_other: false + definitions: + - value: avoid + description: The risk will be eliminated. + - value: mitigate + description: The risk will be reduced. + - value: transfer + description: The risk will be transferred to another organization or entity. + - value: accept + description: The risk will continue to exist without further efforts to address it. (Sometimes referred to as + "Operationally required") + - value: share + description: The risk will be partially transferred to another organization or entity. + - value: contingency + description: Plans will be made to address the risk impact if the risk occurs. (This is a form of mitigation.) + - value: none + description: No response, such as when the identified risk is found to be a false positive. + constraint_ids: + - oscal-response-prop-type-value + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + conditions: + name: type + risk/prop: + risk/prop[@name]: + allowed_values: + - type + - false-positive + - accepted + - risk-adjusted + - priority + allow_other: false + definitions: + - value: type + description: The type of remediation tracking entry. Can be multi-valued. + - value: false-positive + description: The risk has been confirmed to be a false positive. + - value: accepted + description: The risk has been accepted. No further action will be taken. + - value: risk-adjusted + description: The risk has been adjusted. + - value: priority + description: A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are + higher priority) + constraint_ids: + - oscal-risk-prop-name-values + - oscal-risk-prop-name-values + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + risk/prop[@value] where name=type: + allowed_values: + - vendor-check-in + - status-update + - milestone-complete + - mitigation + - remediated + - closed + - dr-submission + - dr-updated + - dr-approved + - dr-rejected + allow_other: true + definitions: + - value: vendor-check-in + description: Contacted vendor to determine the status of a pending fix to a known vulnerability. + - value: status-update + description: Information related to the current state of response to this risk. + - value: milestone-complete + description: A significant step in the response plan has been achieved. + - value: mitigation + description: An activity was completed that reduces the likelihood or impact of this risk. + - value: remediated + description: An activity was completed that eliminates the likelihood or impact of this risk. + - value: closed + description: The risk is no longer applicable to the system. + - value: dr-submission + description: A deviation request was made to the authorizing official. + - value: dr-updated + description: A previously submitted deviation request has been modified. + - value: dr-approved + description: The authorizing official approved the deviation. + - value: dr-rejected + description: The authorizing official rejected the deviation. + constraint_ids: + - oscal-risk-prop-type-values + source_files: + - oscal_assessment-common_metaschema_RESOLVED.xml + conditions: + name: type + oscal-catalog: + .//part: + .//part[@name]: + allowed_values: + - objective + - assessment-objective + allow_other: false + definitions: + - value: objective + description: "**(deprecated)** Use\n 'assessment-objective' instead." + deprecated: 1.0.1 + - value: assessment-objective + description: "The part describes a set of assessment\n objectives." + constraint_ids: + - oscal-control-statement-part-name + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + control/part: + control/part[@name]: + allowed_values: + - overview + - statement + - guidance + - example + - assessment + - assessment-method + allow_other: false + definitions: + - value: overview + description: "An introduction to a control or a group of\n controls." + - value: statement + description: A set of implementation requirements or recommendations. + - value: guidance + description: "Additional information to consider when selecting,\n implementing,\ + \ assessing, and monitoring a control." + - value: example + description: An example of an implemented requirement or control statement. + - value: assessment + description: "**(deprecated)** Use\n 'assessment-method' instead." + deprecated: 1.0.1 + - value: assessment-method + description: "The part describes a method-based assessment\n over a set of assessment\ + \ objects." + constraint_ids: + - oscal-control-part-name + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + control/prop: + control/prop[@name]: + allowed_values: + - label + - sort-id + - alt-identifier + - status + allow_other: false + definitions: + - value: label + description: A human-readable label for the parent context, which may be rendered in place of the actual identifier + for some use cases. + - value: sort-id + description: An alternative identifier, whose value is easily sortable among other such values in the document. + - value: alt-identifier + description: An alternate or aliased identifier for the parent context. + - value: status + description: "The status of a control. For example, a\n value of 'withdrawn' can\ + \ indicate that the control has\n been withdrawn and should no longer be used." + constraint_ids: + - oscal-control-prop-name + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + control/prop[@value] where name=status: + allowed_values: + - withdrawn + - Withdrawn + allow_other: false + definitions: + - value: withdrawn + description: The control is no longer used. + - value: Withdrawn + description: "**(deprecated)*** Use 'withdrawn'\n instead." + deprecated: 1.0.0 + constraint_ids: + - oscal-control-prop-status-value + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + conditions: + name: status + group/part: + group/part[@name]: + allowed_values: + - overview + - instruction + allow_other: false + definitions: + - value: overview + description: An introduction to a control or a group of controls. + - value: instruction + description: Information providing directions for a control or a group of controls. + constraint_ids: + - oscal-group-part-name + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + group/prop: + group/prop[@name]: + allowed_values: + - label + - sort-id + - alt-identifier + allow_other: false + definitions: + - value: label + description: A human-readable label for the parent context, which may be rendered in place of the actual identifier + for some use cases. + - value: sort-id + description: An alternative identifier, whose value is easily sortable among other such values in the document. + - value: alt-identifier + description: An alternate or aliased identifier for the parent context. + constraint_ids: + - oscal-group-prop-name + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='statement']//part: + has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='statement']//part[@name]: + allowed_values: + - item + allow_other: false + definitions: + - value: item + description: An individual item within a control statement. + constraint_ids: + - oscal-control-statement-part-subpart-name + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part: + has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[@name]: + allowed_values: + - objects + - assessment-objects + allow_other: false + definitions: + - value: objects + description: "**(deprecated)** Use\n 'assessment-objects' instead." + deprecated: 1.0.1 + - value: assessment-objects + description: "Provides a listing of assessment\n objects." + constraint_ids: + - oscal-control-objective-part-subpart-name + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop: + has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[@name]: + allowed_values: + - method + allow_other: false + definitions: + - value: method + description: '**(deprecated)** Use ''method'' in the ''http://csrc.nist.gov/ns/rmf'' namespace. The assessment + method to use. This typically appears on parts with the name "assessment-method".' + deprecated: 1.0.1 + constraint_ids: + - oscal-control-statement-part-prop-name + - oscal-control-statement-part-rmf-prop-name + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + ? has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[@value] + where name=method + : allowed_values: + - INTERVIEW + - EXAMINE + - TEST + allow_other: false + definitions: + - value: INTERVIEW + description: The process of holding discussions with individuals or groups of individuals within an organization + to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + - value: EXAMINE + description: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment + objects (i.e., specifications, mechanisms, or activities). + - value: TEST + description: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under + specified conditions to compare actual with expected behavior. + constraint_ids: + - oscal-control-objective-part-method-prop-value + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + conditions: + name: method + metadata/prop: + metadata/prop[@name]: + allowed_values: + - resolution-tool + - source-profile-uuid + allow_other: false + definitions: + - value: resolution-tool + description: The tool used to produce a resolved profile. + - value: source-profile-uuid + description: The document-level uuid of the source profile from which the catalog was produced by profile resolution. + constraint_ids: + - oscal-catalog-metadata-prop-name + source_files: + - oscal_catalog_metaschema_RESOLVED.xml + oscal-component-definition: + '@type=''software'']/prop': + '@type=''software'']/prop[@name]': + allowed_values: + - software-identifier + allow_other: false + definitions: + - value: software-identifier + description: If a "software" component-type, the identifier, such as a SWID tag, for the software component. + constraint_ids: + - oscal-software-component-prop-name + source_files: + - oscal_component_metaschema_RESOLVED.xml + defined-component/prop: + defined-component/prop[@name]: + allowed_values: + - version + - patch-level + - model + - release-date + - validation-type + - validation-reference + - asset-type + - asset-id + - asset-tag + - public + - virtual + - vlan-id + - network-id + - label + - sort-id + - baseline-configuration-name + - allows-authenticated-scan + - function + - hardware-model + - os-name + - os-version + - software-name + - software-version + - software-patch-level + allow_other: false + definitions: + - value: version + description: The version of the component. + - value: patch-level + description: The specific patch level of the component. + - value: model + description: The model of the component. + - value: release-date + description: The date the component was released, such as a software release date or policy publication date. + - value: validation-type + description: Used with component-type='validation' to provide a well-known name for a kind of validation. + - value: validation-reference + description: Used with component-type='validation' to indicate the validating body's assigned identifier for + their validation of this component. + - value: asset-type + description: Simple indication of the asset's function, such as Router, Storage Array, DNS Server. + - value: asset-id + description: An organizationally specific identifier that is used to uniquely identify a logical or tangible + item by the organization that owns the item. + - value: asset-tag + description: An asset tag assigned by the organization responsible for maintaining the logical or tangible item. + - value: public + description: Identifies whether the asset is publicly accessible (yes/no) + - value: virtual + description: Identifies whether the asset is virtualized (yes/no) + - value: vlan-id + description: Virtual LAN identifier of the asset. + - value: network-id + description: The network identifier of the asset. + - value: label + description: A human-readable label for the parent context. + - value: sort-id + description: An alternative identifier, whose value is easily sortable among other such values in the document. + - value: baseline-configuration-name + description: The name of the baseline configuration for the asset. + - value: allows-authenticated-scan + description: Can the asset be check with an authenticated scan? (yes/no) + - value: function + description: The function provided by the asset for the system. + - value: hardware-model + description: '**(deprecated)** Use ''model'' instead.' + deprecated: 1.2.0 + - value: os-name + description: The name of the operating system used by the asset. + - value: os-version + description: The version of the operating system used by the asset. + - value: software-name + description: The software product name used by the asset. + - value: software-version + description: The software product version used by the asset. + - value: software-patch-level + description: The software product patch level used by the asset. + constraint_ids: + - oscal-component-prop-name + source_files: + - oscal_component_metaschema_RESOLVED.xml + defined-component/prop[@value] where name=allows-authenticated-scan: + allowed_values: + - 'yes' + - 'no' + allow_other: false + definitions: + - value: 'yes' + description: The component allows an authenticated scan. + - value: 'no' + description: The component does not allow an authenticated scan. + constraint_ids: + - oscal-component-allows-authenticated-scan-value + source_files: + - oscal_component_metaschema_RESOLVED.xml + conditions: + name: allows-authenticated-scan + defined-component/prop[@value] where name=asset-type: + allowed_values: + - operating-system + - database + - web-server + - dns-server + - email-server + - directory-server + - pbx + - firewall + - router + - switch + - storage-array + - appliance + allow_other: true + definitions: + - value: operating-system + description: System software that manages computer hardware, software resources, and provides common services + for computer programs. + - value: database + description: An electronic collection of data, or information, that is specially organized for rapid search + and retrieval. + - value: web-server + description: A system that delivers content or services to end users over the Internet or an intranet. + - value: dns-server + description: A system that resolves domain names to internet protocol (IP) addresses. + - value: email-server + description: A computer system that sends and receives electronic mail messages. + - value: directory-server + description: A system that stores, organizes and provides access to directory information in order to unify + network resources. + - value: pbx + description: A private branch exchange (PBX) provides a a private telephone switchboard. + - value: firewall + description: A network security system that monitors and controls incoming and outgoing network traffic based + on predetermined security rules. + - value: router + description: A physical or virtual networking device that forwards data packets between computer networks. + - value: switch + description: A physical or virtual networking device that connects devices within a computer network by using + packet switching to receive and forward data to the destination device. + - value: storage-array + description: A consolidated, block-level data storage capability. + - value: appliance + description: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose. + constraint_ids: + - oscal-component-asset-type-value + source_files: + - oscal_component_metaschema_RESOLVED.xml + conditions: + name: asset-type + defined-component/prop[@value] where name=implementation-point: + allowed_values: + - internal + - external + allow_other: false + definitions: + - value: internal + description: The component is implemented within the system boundary. + - value: external + description: The component is implemented outside the system boundary. + constraint_ids: + - oscal-component-implementation-point-value + source_files: + - oscal_component_metaschema_RESOLVED.xml + conditions: + name: implementation-point + defined-component/prop[@value] where name=public: + allowed_values: + - 'yes' + - 'no' + allow_other: false + definitions: + - value: 'yes' + description: The component is publicly accessible. + - value: 'no' + description: The component is not publicly accessible. + constraint_ids: + - oscal-component-public-value + source_files: + - oscal_component_metaschema_RESOLVED.xml + conditions: + name: public + defined-component/prop[@value] where name=virtual: + allowed_values: + - 'yes' + - 'no' + allow_other: false + definitions: + - value: 'yes' + description: The component is virtualized. + - value: 'no' + description: The component is not virtualized. + constraint_ids: + - oscal-component-virtual-value + source_files: + - oscal_component_metaschema_RESOLVED.xml + conditions: + name: virtual + oscal-control-common: + parameter/prop: + parameter/prop[@name]: + allowed_values: + - label + - sort-id + - alt-identifier + - alt-label + allow_other: false + definitions: + - value: label + description: A human-readable label for the parent context, which may be rendered in place of the actual identifier + for some use cases. + - value: sort-id + description: An alternative identifier, whose value is easily sortable among other such values in the document. + - value: alt-identifier + description: An alternate or aliased identifier for the parent context. + - value: alt-label + description: An alternate to the value provided by the parameter's label. This will typically be qualified by + a class. + constraint_ids: + - oscal-parameter-prop-name + source_files: + - oscal_control-common_metaschema_RESOLVED.xml + part/prop: + part/prop[@name]: + allowed_values: + - label + - sort-id + - alt-identifier + allow_other: false + definitions: + - value: label + description: A human-readable label for the parent context, which may be rendered in place of the actual identifier + for some use cases. + - value: sort-id + description: An alternative identifier, whose value is easily sortable among other such values in the document. + - value: alt-identifier + description: An alternate or aliased identifier for the parent context. + constraint_ids: + - oscal-part-prop-name + source_files: + - oscal_control-common_metaschema_RESOLVED.xml + oscal-implementation-common: + '@type=''interconnection'']/prop': + '@type=''interconnection'']/prop[@name]': + allowed_values: + - isa-title + - isa-date + - isa-remote-system-name + - ipv4-address + - ipv6-address + - direction + - uri + - fqdn + allow_other: false + definitions: + - value: isa-title + description: Title of the Interconnection Security Agreement (ISA). + - value: isa-date + description: Date of the Interconnection Security Agreement (ISA). + - value: isa-remote-system-name + description: The name of the remote interconnected system. + - value: ipv4-address + description: The Internet Protocol Version 4 address is for an interconnection, service, or software component. + - value: ipv6-address + description: The Internet Protocol Version 6 address is for an interconnection, service, or software component. + - value: direction + description: The direction categorizes the network connectivity of an interconnection, service, or software + component. + - value: uri + description: A Uniform Resource Identifier (URI) is for an interconnection, service, or software component. + - value: fqdn + description: The full-qualified domain name (FQDN) of the asset. + constraint_ids: + - oscal-component-interconnection-prop-name-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + '@type=''software'']/prop': + '@type=''software'']/prop[@name]': + allowed_values: + - software-identifier + allow_other: false + definitions: + - value: software-identifier + description: If a "software" component-type, the identifier, such as a SWID tag, for the software component. + constraint_ids: + - oscal-component-software-prop-name-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + '@type=(''interconnection'', ''service'', ''software'', ''system'')]/prop': + '@type=(''interconnection'', ''service'', ''software'', ''system'')]/prop[@name]': + allowed_values: + - ipv4-address + - ipv6-address + - direction + - uri + - fqdn + allow_other: false + definitions: + - value: ipv4-address + description: The Internet Protocol Version 4 address is for an interconnection, service, or software component. + - value: ipv6-address + description: The Internet Protocol Version 6 address is for an interconnection, service, or software component. + - value: direction + description: The direction categorizes the network connectivity of an interconnection, service, or software + component. + - value: uri + description: A Uniform Resource Identifier (URI) is for an interconnection, service, or software component. + - value: fqdn + description: The full-qualified domain name (FQDN) of the asset. + constraint_ids: + - oscal-component-interconnection-service-software-system-prop-name-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + '@type=(''software'', ''hardware'', ''service'')]/prop': + '@type=(''software'', ''hardware'', ''service'')]/prop[@name]': + allowed_values: + - vendor-name + allow_other: false + definitions: + - value: vendor-name + description: The name of the company or organization + constraint_ids: + - oscal-component-hardware-service-software-prop-name-values + - oscal-inventory-item-hardware-service-software-prop-name-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + inventory-item/prop: + inventory-item/prop[@name]: + allowed_values: + - version + - patch-level + - model + - release-date + - validation-type + - validation-reference + - asset-type + - asset-id + - asset-tag + - public + - virtual + - vlan-id + - network-id + - label + - sort-id + - baseline-configuration-name + - allows-authenticated-scan + - function + - hardware-model + - os-name + - os-version + - software-name + - software-version + - software-patch-level + - ipv4-address + - ipv6-address + - fqdn + - uri + - serial-number + - netbios-name + - mac-address + - physical-location + - is-scanned + allow_other: false + definitions: + - value: version + description: The version of the component. + - value: patch-level + description: The specific patch level of the component. + - value: model + description: The model of the component. + - value: release-date + description: The date the component was released, such as a software release date or policy publication date. + - value: validation-type + description: Used with component-type='validation' to provide a well-known name for a kind of validation. + - value: validation-reference + description: Used with component-type='validation' to indicate the validating body's assigned identifier for + their validation of this component. + - value: asset-type + description: Simple indication of the asset's function, such as Router, Storage Array, DNS Server. + - value: asset-id + description: An organizationally specific identifier that is used to uniquely identify a logical or tangible + item by the organization that owns the item. + - value: asset-tag + description: An asset tag assigned by the organization responsible for maintaining the logical or tangible item. + - value: public + description: Identifies whether the asset is publicly accessible (yes/no) + - value: virtual + description: Identifies whether the asset is virtualized (yes/no) + - value: vlan-id + description: Virtual LAN identifier of the asset. + - value: network-id + description: The network identifier of the asset. + - value: label + description: A human-readable label for the parent context. + - value: sort-id + description: An alternative identifier, whose value is easily sortable among other such values in the document. + - value: baseline-configuration-name + description: The name of the baseline configuration for the asset. + - value: allows-authenticated-scan + description: Can the asset be check with an authenticated scan? (yes/no) + - value: function + description: The function provided by the asset for the system. + - value: hardware-model + description: '**(deprecated)** Use ''model'' instead.' + deprecated: 1.2.0 + - value: os-name + description: The name of the operating system used by the asset. + - value: os-version + description: The version of the operating system used by the asset. + - value: software-name + description: The software product name used by the asset. + - value: software-version + description: The software product version used by the asset. + - value: software-patch-level + description: The software product patch level used by the asset. + - value: ipv4-address + description: The Internet Protocol v4 Address of the asset. + - value: ipv6-address + description: The Internet Protocol v6 Address of the asset. + - value: fqdn + description: The full-qualified domain name (FQDN) of the asset. + - value: uri + description: A Uniform Resource Identifier (URI) for the asset. + - value: serial-number + description: A serial number for the asset. + - value: netbios-name + description: The NetBIOS name for the asset. + - value: mac-address + description: The media access control (MAC) address for the asset. + - value: physical-location + description: The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful + location identifiers). + - value: is-scanned + description: is the asset subjected to network scans? (yes/no) + constraint_ids: + - oscal-implemented-component-prop-name-values + - oscal-inventory-item-prop-name-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + inventory-item/prop[@value] where name=asset-type: + allowed_values: + - operating-system + - database + - web-server + - dns-server + - email-server + - directory-server + - pbx + - firewall + - router + - switch + - storage-array + - appliance + allow_other: true + definitions: + - value: operating-system + description: System software that manages computer hardware, software resources, and provides common services + for computer programs. + - value: database + description: An electronic collection of data, or information, that is specially organized for rapid search + and retrieval. + - value: web-server + description: A system that delivers content or services to end users over the Internet or an intranet. + - value: dns-server + description: A system that resolves domain names to internet protocol (IP) addresses. + - value: email-server + description: A computer system that sends and receives electronic mail messages. + - value: directory-server + description: A system that stores, organizes and provides access to directory information in order to unify + network resources. + - value: pbx + description: A private branch exchange (PBX) provides a a private telephone switchboard. + - value: firewall + description: A network security system that monitors and controls incoming and outgoing network traffic based + on predetermined security rules. + - value: router + description: A physical or virtual networking device that forwards data packets between computer networks. + - value: switch + description: A physical or virtual networking device that connects devices within a computer network by using + packet switching to receive and forward data to the destination device. + - value: storage-array + description: A consolidated, block-level data storage capability. + - value: appliance + description: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose. + constraint_ids: + - oscal-inventory-item-prop-asset-type-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + conditions: + name: asset-type + inventory-item/prop[@value] where name=is-scanned: + allowed_values: + - 'yes' + - 'no' + allow_other: false + definitions: + - value: 'yes' + description: The asset is included in periodic vulnerability scanning. + - value: 'no' + description: The asset is not included in periodic vulnerability scanning. + constraint_ids: + - oscal-inventory-item-prop-is-scanned-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + conditions: + name: is-scanned + system-component/prop: + system-component/prop[@class]: + allowed_values: + - local + - remote + allow_other: false + definitions: + - value: local + description: The identified IP address is for this system. + - value: remote + description: The identified IP address is for the remote system to which this system is connected. + constraint_ids: + - oscal-component-prop-ipaddress-class-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + system-component/prop[@name]: + allowed_values: + - implementation-point + - leveraged-authorization-uuid + - inherited-uuid + - asset-type + - asset-id + - asset-tag + - public + - virtual + - vlan-id + - network-id + - label + - sort-id + - baseline-configuration-name + - allows-authenticated-scan + - function + - hardware-model + - model + - os-name + - os-version + - software-name + - software-version + - software-patch-level + - version + - patch-level + - release-date + - validation-type + - validation-reference + allow_other: false + definitions: + - value: implementation-point + description: Relative placement of component ('internal' or 'external') to the system. + - value: leveraged-authorization-uuid + description: UUID of the related leveraged-authorization assembly in this SSP. + - value: inherited-uuid + description: UUID of the component as it was assigned in the leveraged system's SSP. + - value: asset-type + description: Simple indication of the asset's function, such as Router, Storage Array, DNS Server. + - value: asset-id + description: An organizationally specific identifier that is used to uniquely identify a logical or tangible + item by the organization that owns the item. + - value: asset-tag + description: An asset tag assigned by the organization responsible for maintaining the logical or tangible item. + - value: public + description: Identifies whether the asset is publicly accessible (yes/no) + - value: virtual + description: Identifies whether the asset is virtualized (yes/no) + - value: vlan-id + description: Virtual LAN identifier of the asset. + - value: network-id + description: The network identifier of the asset. + - value: label + description: A human-readable label for the parent context. + - value: sort-id + description: An alternative identifier, whose value is easily sortable among other such values in the document. + - value: baseline-configuration-name + description: The name of the baseline configuration for the asset. + - value: allows-authenticated-scan + description: Can the asset be check with an authenticated scan? (yes/no) + - value: function + description: The function provided by the asset for the system. + - value: hardware-model + description: '**(deprecated)** Use ''model'' instead.' + deprecated: 1.2.0 + - value: model + description: The model of system used by the asset. + - value: os-name + description: The name of the operating system used by the asset. + - value: os-version + description: The version of the operating system used by the asset. + - value: software-name + description: The software product name used by the asset. + - value: software-version + description: The software product version used by the asset. + - value: software-patch-level + description: The software product patch level used by the asset. + - value: version + description: The version of the component. + - value: patch-level + description: The specific patch level of the component. + - value: release-date + description: The date the component was released, such as a software release date or policy publication date. + - value: validation-type + description: Used with component-type='validation' to provide a well-known name for a kind of validation. + - value: validation-reference + description: Used with component-type='validation' to indicate the validating body's assigned identifier for + their validation of this component. + constraint_ids: + - oscal-component-prop-name-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + system-component/prop[@value] where name=allows-authenticated-scan: + allowed_values: + - 'yes' + - 'no' + allow_other: false + definitions: + - value: 'yes' + description: The component allows an authenticated scan. + - value: 'no' + description: The component does not allow an authenticated scan. + constraint_ids: + - oscal-component-prop-allows-authenticated-scan-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + conditions: + name: allows-authenticated-scan + system-component/prop[@value] where name=asset-type: + allowed_values: + - operating-system + - database + - web-server + - dns-server + - email-server + - directory-server + - pbx + - firewall + - router + - switch + - storage-array + - appliance + allow_other: true + definitions: + - value: operating-system + description: System software that manages computer hardware, software resources, and provides common services + for computer programs. + - value: database + description: An electronic collection of data, or information, that is specially organized for rapid search + and retrieval. + - value: web-server + description: A system that delivers content or services to end users over the Internet or an intranet. + - value: dns-server + description: A system that resolves domain names to internet protocol (IP) addresses. + - value: email-server + description: A computer system that sends and receives electronic mail messages. + - value: directory-server + description: A system that stores, organizes and provides access to directory information in order to unify + network resources. + - value: pbx + description: A private branch exchange (PBX) provides a a private telephone switchboard. + - value: firewall + description: A network security system that monitors and controls incoming and outgoing network traffic based + on predetermined security rules. + - value: router + description: A physical or virtual networking device that forwards data packets between computer networks. + - value: switch + description: A physical or virtual networking device that connects devices within a computer network by using + packet switching to receive and forward data to the destination device. + - value: storage-array + description: A consolidated, block-level data storage capability. + - value: appliance + description: A physical or virtual machine that centralizes hardware, software, or services for a specific purpose. + constraint_ids: + - oscal-component-prop-asset-type-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + conditions: + name: asset-type + system-component/prop[@value] where name=direction: + allowed_values: + - incoming + - outgoing + allow_other: false + definitions: + - value: incoming + description: Data from the remote system flows into this system. + - value: outgoing + description: Data from this system flows to the remote system. + constraint_ids: + - oscal-component-prop-direction-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + conditions: + name: direction + system-component/prop[@value] where name=implementation-point: + allowed_values: + - internal + - external + allow_other: false + definitions: + - value: internal + description: The component is implemented within the system boundary. + - value: external + description: The component is implemented outside the system boundary. + constraint_ids: + - oscal-component-prop-implementation-point-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + conditions: + name: implementation-point + system-component/prop[@value] where name=public: + allowed_values: + - 'yes' + - 'no' + allow_other: false + definitions: + - value: 'yes' + description: The component is publicly accessible. + - value: 'no' + description: The component is not publicly accessible. + constraint_ids: + - oscal-component-prop-is-public-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + conditions: + name: public + system-component/prop[@value] where name=virtual: + allowed_values: + - 'yes' + - 'no' + allow_other: false + definitions: + - value: 'yes' + description: The component is virtualized. + - value: 'no' + description: The component is not virtualized. + constraint_ids: + - oscal-component-prop-is-virtual-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + conditions: + name: virtual + system-user/prop: + system-user/prop[@name]: + allowed_values: + - type + - privilege-level + allow_other: false + definitions: + - value: type + description: The type of user, such as internal, external, or general-public. + - value: privilege-level + description: The user's privilege level within the system, such as privileged, non-privileged, no-logical-access. + constraint_ids: + - oscal-user-prop-name-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + system-user/prop[@value] where name=privilege-level: + allowed_values: + - privileged + - non-privileged + - no-logical-access + allow_other: false + definitions: + - value: privileged + description: This role has elevated access to the system, such as a group or system administrator. + - value: non-privileged + description: This role has typical user-level access to the system without elevated access. + - value: no-logical-access + description: This role has no access to the system, such as a manager who approves access as part of a process. + constraint_ids: + - oscal-user-prop-privilege-level-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + conditions: + name: privilege-level + system-user/prop[@value] where name=type: + allowed_values: + - internal + - external + - general-public + allow_other: false + definitions: + - value: internal + description: A user account for a person or entity that is part of the organization who owns or operates the + system. + - value: external + description: A user account for a person or entity that is not part of the organization who owns or operates + the system. + - value: general-public + description: A user of the system considered to be outside + constraint_ids: + - oscal-user-prop-type-values + source_files: + - oscal_implementation-common_metaschema_RESOLVED.xml + conditions: + name: type + oscal-mapping-common: + confidence-score/category: + confidence-score/category: + allowed_values: + - unspecified + - high + - medium + - low + allow_other: true + definitions: + - value: unspecified + description: No category is specified for the confidence score. + - value: high + description: High confidence in the mapping. + - value: medium + description: Medium confidence in the mapping. + - value: low + description: Low confidence in the mapping. + constraint_ids: + - '' + source_files: + - oscal_mapping-common_metaschema_RESOLVED.xml + map/relationship: + map/relationship: + allowed_values: + - equivalent-to + - equal-to + - subset-of + - superset-of + - intersects-with + - no-relationship + allow_other: false + definitions: + - value: equivalent-to + description: "The source and target\n requirements are similar, although not necessarily\ + \ identical. The words\n may differ, but both mapped sets convey similar information\ + \ with the\n same effective meaning. This relationship may be reversed, since `A\n\ + \ equivalent-to B` also means that `B equivalent-to A`. This relationship\n \ + \ is less suitable for a syntactic\n matching-rationale\n \ + \ ." + - value: equal-to + description: "The source and target\n requirements are the same. Differences in capitalization,\ + \ spelling, and\n grammar can be ignored, if these differences do not change the\ + \ meaning.\n This relationship may be reversed, since `A equal-to B` also means\ + \ that\n `B equal-to A`." + - value: subset-of + description: "The source requirements are a subset of \n target requirements. In\ + \ other words, target contains\n all sourcerequirements and aditional others. This\n\ + \ relationship may be reversed as a `superset-of`, since `A subset-of B`\n \ + \ also means that `B superset-of A`." + - value: superset-of + description: "The source requirements are a\n superset of target requirements. In\ + \ other words, \n source contains all targetrequirements and aditional\n \ + \ others. This relationship may be reversed as a `subset-of`, since `A\n \ + \ superset-of B` also means that `B subset-of A`." + - value: intersects-with + description: "The source and target\n requirements have some overlap, but each includes\ + \ content that the other\n does not. This relationship may be reversed, since `A\ + \ intersects-with B`\n also means that `B intersects-with A`. A mapping at statement\ + \ level\n could result on relationships mapping that allows for more\n \ + \ inference than using this relationship type." + - value: no-relationship + description: "The source and target\n requirements are not related; their content\ + \ does not overlap. This\n relation is introduced not with the intention to support\ + \ exhaustiv\n mapping of all requirements and statements that have no overlap,\ + \ but\n rather to support edge cases such is the need to tailor a \n \ + \ relationship in the context of a component or system to better\n \ + \ align with the implementation and configuration of the respective\n component\ + \ or system. Also, this relationship is provided in\n support of the NIST IR\n\ + \ 8477." + constraint_ids: + - '' + source_files: + - oscal_mapping-common_metaschema_RESOLVED.xml + oscal-metadata: + .: + .[@name]: + allowed_values: + - marking + allow_other: false + definitions: + - value: marking + description: A label or descriptor that is tied to a sensitivity or classification marking system. An optional + class can be used to define the specific marking system used for the associated value. + constraint_ids: + - oscal-metadata-prop-name-values + source_files: + - oscal_metadata_metaschema_RESOLVED.xml + ./type: + ./type[@value]: + allowed_values: + - approval + - request-changes + allow_other: false + definitions: + - value: approval + description: An approval of a document instance's content. + - value: request-changes + description: A request from the responsible party or parties to change the content. + constraint_ids: + - oscal-metadata-action-type-values + source_files: + - oscal_metadata_metaschema_RESOLVED.xml + back-matter/prop: + back-matter/prop[@name]: + allowed_values: + - type + - version + - published + allow_other: false + definitions: + - value: type + description: Identifies the type of resource represented. The most specific appropriate type value SHOULD be + used. + - value: version + description: For resources representing a published document, this represents the version number of that document. + - value: published + description: For resources representing a published document, this represents the publication date of that document. + constraint_ids: + - oscal-back-matter-resource-prop-name-values + source_files: + - oscal_metadata_metaschema_RESOLVED.xml + back-matter/prop[@value] where name=type: + allowed_values: + - logo + - image + - screen-shot + - law + - regulation + - standard + - external-guidance + - acronyms + - citation + - policy + - procedure + - system-guide + - users-guide + - administrators-guide + - rules-of-behavior + - plan + - artifact + - evidence + - tool-output + - raw-data + - interview-notes + - questionnaire + - report + - agreement + allow_other: false + definitions: + - value: logo + description: Indicates the resource is an organization's logo. + - value: image + description: Indicates the resource represents an image. + - value: screen-shot + description: Indicates the resource represents an image of screen content. + - value: law + description: Indicates the resource represents an applicable law. + - value: regulation + description: Indicates the resource represents an applicable regulation. + - value: standard + description: Indicates the resource represents an applicable standard. + - value: external-guidance + description: Indicates the resource represents applicable guidance. + - value: acronyms + description: Indicates the resource provides a list of relevant acronyms. + - value: citation + description: Indicates the resource cites relevant information. + - value: policy + description: Indicates the resource is a policy. + - value: procedure + description: Indicates the resource is a procedure. + - value: system-guide + description: Indicates the resource is guidance document related to the subject system of an SSP. + - value: users-guide + description: Indicates the resource is guidance document a user's guide or administrator's guide. + - value: administrators-guide + description: Indicates the resource is guidance document a administrator's guide. + - value: rules-of-behavior + description: Indicates the resource represents rules of behavior content. + - value: plan + description: Indicates the resource represents a plan. + - value: artifact + description: Indicates the resource represents an artifact, such as may be reviewed by an assessor. + - value: evidence + description: Indicates the resource represents evidence, such as to support an assessment finding. + - value: tool-output + description: Indicates the resource represents output from a tool. + - value: raw-data + description: Indicates the resource represents machine data, which may require a tool or analysis for interpretation + or presentation. + - value: interview-notes + description: Indicates the resource represents notes from an interview, such as may be collected during an assessment. + - value: questionnaire + description: Indicates the resource is a set of questions, possibly with responses. + - value: report + description: Indicates the resource is a report. + - value: agreement + description: Indicates the resource is a formal agreement between two or more parties. + constraint_ids: + - oscal-back-matter-resource-prop-type-values + source_files: + - oscal_metadata_metaschema_RESOLVED.xml + conditions: + name: type + metadata/prop: + metadata/prop[@class] where name=type, value=data-center: + allowed_values: + - primary + - alternate + allow_other: true + definitions: + - value: primary + description: The location is a data-center used for normal operations. + - value: alternate + description: The location is a data-center used for fail-over or backup operations. + constraint_ids: + - oscal-metadata-location-prop-type-data-center-values + source_files: + - oscal_metadata_metaschema_RESOLVED.xml + conditions: + name: type + value: data-center + metadata/prop[@name]: + allowed_values: + - type + - mail-stop + - office + - job-title + - keywords + allow_other: false + definitions: + - value: type + description: Characterizes the kind of location. + - value: mail-stop + description: A mail stop associated with the party. + - value: office + description: The name or number of the party's office. + - value: job-title + description: The formal job title of a person. + - value: keywords + description: The value identifies a comma-seperated listing of keywords associated with this content. These + keywords may be used as search terms for indexing and other applications. + constraint_ids: + - oscal-metadata-location-prop-name-values + - oscal-metadata-party-prop-name-values + - oscal-metadata-prop-name-values + source_files: + - oscal_metadata_metaschema_RESOLVED.xml + metadata/prop[@value] where name=type: + allowed_values: + - data-center + allow_other: true + definitions: + - value: data-center + description: A location that contains computing assets. A class can be used to indicate the sub-type of data-center + as primary or alternate. + constraint_ids: + - oscal-metadata-location-prop-type-values + source_files: + - oscal_metadata_metaschema_RESOLVED.xml + conditions: + name: type + oscal-profile: + modify/prop: + modify/prop[@name]: + allowed_values: + - label + - sort-id + - alt-identifier + allow_other: false + definitions: + - value: label + description: A human-readable label for the parent context, which may be rendered in place of the actual identifier + for some use cases. + - value: sort-id + description: An alternative identifier, whose value is easily sortable among other such values in the document. + - value: alt-identifier + description: An alternate or aliased identifier for the parent context. + constraint_ids: + - oscal-profile-modify-alter-prop-name-values + source_files: + - oscal_profile_metaschema_RESOLVED.xml + oscal-ssp: + (.|statement|.//by-component)/prop: + (.|statement|.//by-component)/prop[@name]: + allowed_values: + - control-origination + allow_other: false + definitions: + - value: control-origination + description: Identifies the source of the implemented control. Any control-origination prop defined in a child + context will override the parent value. + constraint_ids: + - oscal-implemented-requirement-statement-by-component-prop-name-values + source_files: + - oscal_ssp_metaschema_RESOLVED.xml + (.|statement|.//by-component)/prop[@value] where name=control-origination: + allowed_values: + - organization + - system-specific + - customer-configured + - customer-provided + - inherited + allow_other: false + definitions: + - value: organization + description: The control is implemented by the organization owning the system, but is not specific to the system + itself. + - value: system-specific + description: The control is implemented specifically to this system. + - value: customer-configured + description: The control is provided by the system, but must be configured by the customer. + - value: customer-provided + description: The control must be implemented by the customer. + - value: inherited + description: This control is inherited from an underlying system. + constraint_ids: + - oscal-implemented-requirement-statement-by-component-prop-control-origination-values + source_files: + - oscal_ssp_metaschema_RESOLVED.xml + conditions: + name: control-origination + (component | inventory-item)/prop: + (component | inventory-item)/prop[@value] where name=allows-authenticated-scan: + allowed_values: + - 'yes' + - 'no' + allow_other: false + definitions: + - value: 'yes' + description: The component allows an authenticated scan. + - value: 'no' + description: The component does not allow an authenticated scan. + constraint_ids: + - oscal-component-inventory-item-allows-authenticated-scan-values + source_files: + - oscal_ssp_metaschema_RESOLVED.xml + conditions: + name: allows-authenticated-scan + system-characteristics/prop: + system-characteristics/prop[@name]: + allowed_values: + - identity-assurance-level + - authenticator-assurance-level + - federation-assurance-level + - cloud-deployment-model + - cloud-service-model + allow_other: false + definitions: + - value: identity-assurance-level + description: A value of 1, 2, or 3 as defined by SP 800-63-3. + - value: authenticator-assurance-level + description: A value of 1, 2, or 3 as defined by SP 800-63-3. + - value: federation-assurance-level + description: A value of 1, 2, or 3 as defined by SP 800-63-3. + - value: cloud-deployment-model + description: 'The associated value is one of: public-cloud, private-cloud, community-cloud, government-only-cloud, + hybrid-cloud, or other.' + - value: cloud-service-model + description: 'The associated value is one of: saas, paas, iaas, or other.' + constraint_ids: + - oscal-system-characteristics-prop-name-values + - oscal-system-characteristics-prop-name-values + source_files: + - oscal_ssp_metaschema_RESOLVED.xml + system-characteristics/prop[@value] where name=cloud-deployment-model: + allowed_values: + - public-cloud + - private-cloud + - community-cloud + - hybrid-cloud + - government-only-cloud + - other + allow_other: false + definitions: + - value: public-cloud + description: The public cloud deployment model as defined by The NIST Definition of Cloud Computing. + - value: private-cloud + description: The private cloud deployment model as defined by The NIST Definition of Cloud Computing. + - value: community-cloud + description: The community cloud deployment model as defined by The NIST Definition of Cloud Computing. + - value: hybrid-cloud + description: The hybrid cloud deployment model as defined by The NIST Definition of Cloud Computing. + - value: government-only-cloud + description: A specific type of community-cloud for use only by government services. + - value: other + description: Any other type of cloud deployment model that is exclusive to the other choices. + constraint_ids: + - oscal-system-characteristics-prop-cloud-deployment-model-values + source_files: + - oscal_ssp_metaschema_RESOLVED.xml + conditions: + name: cloud-deployment-model + system-characteristics/prop[@value] where name=cloud-service-model: + allowed_values: + - saas + - paas + - iaas + - other + allow_other: false + definitions: + - value: saas + description: Software as a service (SaaS) cloud service model as defined by The NIST Definition of Cloud Computing. + - value: paas + description: Platform as a service (PaaS) cloud service model as defined by The NIST Definition of Cloud Computing. + - value: iaas + description: Infrastructure as a service (IaaS) cloud service model as defined by The NIST Definition of Cloud + Computing. + - value: other + description: Any other type of cloud service model that is exclusive to the other choices. + constraint_ids: + - oscal-system-characteristics-prop-cloud-service-model-values + source_files: + - oscal_ssp_metaschema_RESOLVED.xml + conditions: + name: cloud-service-model + system-information/prop: + system-information/prop[@name]: + allowed_values: + - privacy-designation + allow_other: false + definitions: + - value: privacy-designation + description: Is this a privacy sensitive system? yes or no + constraint_ids: + - oscal-system-information-prop-name-values + source_files: + - oscal_ssp_metaschema_RESOLVED.xml + system-information/prop[@value] where name=privacy-designation: + allowed_values: + - 'yes' + - 'no' + allow_other: false + definitions: + - value: 'yes' + description: The system is privacy sensitive. + - value: 'no' + description: The system is not privacy sensitive. + constraint_ids: + - oscal-system-information-prop-privacy-designation-values + source_files: + - oscal_ssp_metaschema_RESOLVED.xml + conditions: + name: privacy-designation + http://csrc.nist.gov/ns/rmf: + oscal-control-common: + parameter/prop: + parameter/prop[@name]: + allowed_values: + - aggregates + allow_other: false + definitions: + - value: aggregates + description: "The parent parameter provides an\n aggregation of two or\ + \ more other parameters, each described\n by this property." + constraint_ids: + - oscal-rmf-parameter-prop-name + source_files: + - oscal_control-common_metaschema_RESOLVED.xml