]> OSCAL Profile Model 1.2.0 oscal-profile http://csrc.nist.gov/ns/oscal/1.0 http://csrc.nist.gov/ns/oscal

In OSCAL a profile represents a set of selected controls from one or more control catalogs. Such a set of controls can be referenced by an OSCAL system security plan (SSP) to establish a control baseline. This effective set of controls is produced from an OSCAL profile using a deterministic, predictable process called profile resolution.

A profile references one or more OSCAL catalogs or profiles to import controls for control selection and tailoring. A profile can also describe how a resulting catalog is structured. When the profile is resolved, these selections and modifications are processed to produce a resulting OSCAL catalog.

OSCAL profiles have uses beyond establishing control baselines, such as documentation generation or as reference tables for validations.

 Profile Each OSCAL profile is defined by a profile element. profile Profile Universally Unique Identifier Provides a globally unique means to identify a given profile instance.

An OSCAL document that describes a tailoring of controls from one or more catalogs, with possible modification of multiple controls. It provides mechanisms by which controls may be selected (import), merged or (re)structured (merge), and amended (modify). OSCAL profiles may select subsets of controls, set parameter values for them in application, and even adjust the representation of controls as given in and by a catalog. They may also serve as sources for further modification in and by other profiles, that import them.

 Import Resource Designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline. Catalog or Profile Reference A resolvable URL reference to the base catalog or profile that this profile is tailoring.

This value may be one of:

  1. an absolute URI that points to a network resolvable resource,
  2. a relative reference pointing to a network resolvable resource whose base URI is the URI of the containing document, or
  3. a bare URI fragment (i.e., `#uuid`) pointing to a back-matter resource in this or an imported document (see linking to another OSCAL object).

Identifies that all controls are to be included from the imported catalog or profile.

 include-controls

If with-child-controls is yes on the call to a control, any controls appearing within it (child controls) will be selected, with no additional call directives required. This flag provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

 exclude-controls

Identifies which controls to exclude, or eliminate, from the set of included controls by control identifier or match pattern.

The contents of the import element indicate which controls from the source will be included. Controls from the source catalog or profile may be either selected, using the include-all or include-controls directives, or de-selected (using an exclude-controls directive).

 Merge Controls Provides structuring directives that instruct how controls are organized after profile resolution. Combination Rule A Combine element defines how to resolve duplicate instances of the same control (e.g., controls with the same ID). Combination Method Declare how clashing controls should be handled. Use the first definition - the first control with a given ID is used; subsequent ones are discarded **(deprecated)** **(unspecified)** Merge - controls with the same ID are combined Keep - controls with the same ID are kept, retaining the clash Flat Without Grouping Directs that controls appear without any grouping structure. Group As-Is Indicates that the controls selected should retain their original grouping as defined in the import source. Custom Grouping Provides an alternate grouping structure that selected controls will be placed in.

The custom element represents a custom arrangement or organization of controls in the resolution of a catalog. This structuring directive gives the profile author the ability to define an entirely different organization of controls as compared to their source catalog(s).

 Control Group A group of (selected) controls or of groups of controls. Group Identifier Identifies the group.

This optional data element is available to support hyperlinking to formal groups or families as defined in control catalogs, among other operations.

 Group Class A textual label that provides a sub-type or characterization of the group.

A class can be used in validation rules to express extra constraints over named items of a specific class value.

A class can also be used in an OSCAL profile as a means to target an alteration to control content.

 Group Title A name to be given to the group for use in display.

This construct mirrors the same construct that exists in an OSCAL catalog.

 Modify Controls Set parameters or amend controls in resolution. Parameter Setting A parameter setting, to be propagated to points of insertion. Parameter ID An identifier for the parameter. Parameter Class A textual label that provides a characterization of the parameter.

A class can be used in validation rules to express extra constraints over named items of a specific class value.

 Depends On **(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used. Parameter Label A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.

The label value should be suitable for inline display in a rendered catalog.

 Parameter Usage Description Describes the purpose and use of a parameter. constraint guideline value

Used to (re)define a parameter value.

 select Alteration Specifies changes to be made to an included control when a profile is resolved. Removal Specifies objects to be removed from a control based on specific aspects of the object that must all match. Reference by (assigned) name Identify items remove by matching their assigned name. Reference by class Identify items to remove by matching their class. Reference by ID Identify items to remove indicated by their id. Item Name Reference Identify items to remove by the name of the item's information object name, e.g. title or prop. A descendant parameter and all of its descendants. A descendant property and all of its descendants. A descendant link and all of its descendants. A descendant parameter and all of its descendants. A descendant mapping and all of its descendants. A descendant mapping entry (map) and all of its descendants. Item Namespace Reference Identify items to remove by the item's ns, which is the namespace associated with a part, or prop.

Use by-name, by-class, by-id or by-item-name to indicate class tokens or ID reference, or the formal name, of the component to be removed or erased from a control, when a catalog is resolved. The control affected is indicated by the pointer on the removal's parent (containing) alter element.

To change an element, use remove to remove the element, then add to add it back again with changes.

 Addition Specifies contents to be added into controls, in resolution. Position Where to add the new content with respect to the targeted element (beside it or inside it). Preceding the by-id target Following the by-id target Inside the control or by-id target, at the start Inside the control or by-id target, at the end Reference by ID Target location of the addition. Title Change A name given to the control, which may be used by a tool for display and navigation. &allowed-values-control-group-property-name;

When no by-id is given, the addition is inserted into the control targeted by the alteration at the start or end as indicated by position. Only position values of "starting" or "ending" are permitted when there is no by-id.

by-id, when given, should indicate, by its ID, an element inside the control to serve as the anchor point for the addition. In this case, position value may be any of the permitted values.

Use @control-id to indicate the scope of alteration.

It is an error for two alter elements to apply to the same control. In practice, multiple alterations can be applied (together), but it creates confusion.

At present, no provision is made for altering many controls at once (for example, to systematically remove properties or add global properties); extending this element to match multiple control IDs could provide for this.

Since multiple set-parameter entries can be provided, each parameter must be set only once.

 Insert Controls Specifies which controls to use in the containing context. Order A designation of how a selection of controls in a profile is to be ordered. Use the order of their appearance, using a depth-first traversal of the source profile's imports. Sort all selected controls into ascending alphanumeric order by their ID. Sort all selected controls into descending alphanumeric order by their ID. include-controls exclude-controls

Identifies which controls to exclude, or eliminate, from the set of matching includes.

To be schema-valid, this element must contain either (but not both) a single include-all directive, or a sequence of include-controls directives.

If this directive is not provided, then no controls are to be inserted; i.e., all controls are included explicitly.

 Select Control Select a control or controls from an imported control set.

If with-child-controls is yes on the call to a control, no sibling callelements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

 Include Contained Controls with Control When a control is included, whether its child (dependent) controls are also included. Include child controls with an included control. When importing a control, only include child controls that are also explicitly called. Pattern A glob expression matching the IDs of one or more controls to be selected. Match Controls by Identifier Selecting a control by its ID given as a literal. Match Controls by Pattern Selecting a set of controls by matching their IDs with a wildcard pattern.