OSCAL Plan of Action and Milestones (POA&M) Model 1.0.0-rc1 oscal-poam

The OSCAL Plan of Action and Milestones (POA&M) format is used to describe the information typically provided by an assessor during the preparation for an assessment.

The root of the OSCAL Plan of Action and Milestones (POA&M) format is plan-action-milestones.

 plan-of-action-and-milestones Publication metadata Provides information about the publication and availability of the containing document. Publication metadata: Provides information about the publication and availability of the containing document. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Revision History Entry An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first). Revision History Entry: An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first). Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Location A location, with associated metadata that can be referenced. Location: A location, with associated metadata that can be referenced. Location URL The uniform resource locator (URL) for a web site or Internet presence associated with the location. Location URL: The uniform resource locator (URL) for a web site or Internet presence associated with the location. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Location Universally Unique Identifier A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document. Location Universally Unique Identifier: A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document. Location Reference References a location defined in metadata. Location Reference: References a location defined in metadata. Party (organization or person) A responsible entity which is either a person or an organization. Party (organization or person): A responsible entity which is either a person or an organization. Party Name The full name of the party. This is typically the legal name associated with the party. Party Name: The full name of the party. This is typically the legal name associated with the party. Party Short Name A short common name, abbreviation, or acronym for the party. Party Short Name: A short common name, abbreviation, or acronym for the party. Party External Identifier An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID) Party External Identifier: An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID) External Identifier Schema Indicates the type of external identifier. External Identifier Schema: Indicates the type of external identifier. Organizational Affiliation Identifies that the party object is a member of the organization associated with the provided UUID. Organizational Affiliation: Identifies that the party object is a member of the organization associated with the provided UUID. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Party Universally Unique Identifier A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistantly used for a given party across revisions of the document. Party Universally Unique Identifier: A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistantly used for a given party across revisions of the document. Party Type A category describing the kind of party the object describes. Party Type: A category describing the kind of party the object describes. Party Reference References a party defined in metadata. Party Reference: References a party defined in metadata. Role Defines a function assumed or expected to be assumed by a party in a specific situation. Role: Defines a function assumed or expected to be assumed by a party in a specific situation. Role Short Name A short common name, abbreviation, or acronym for the role. Role Short Name: A short common name, abbreviation, or acronym for the role. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Role Identifier A unique identifier for a specific role instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document. Role Identifier: A unique identifier for a specific role instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document. Back matter A collection of resources, which may be included directly or by reference. Back matter: A collection of resources, which may be included directly or by reference. Resource A resource associated with content in the containing document. A resource may be directly included in the document base64 encoded or may point to one or more equavalent internet resources. Resource: A resource associated with content in the containing document. A resource may be directly included in the document base64 encoded or may point to one or more equavalent internet resources. Citation A citation consisting of end note text and optional structured bibliographic data. Citation: A citation consisting of end note text and optional structured bibliographic data. Bibliographic Definition A container for structured bibliographic information. The model of this information is undefined by OSCAL. Bibliographic Definition: A container for structured bibliographic information. The model of this information is undefined by OSCAL. Resource link A pointer to an external resource with an optional hash for verification and change detection. Resource link: A pointer to an external resource with an optional hash for verification and change detection. Hypertext Reference A resolvable URI reference to a resource. Hypertext Reference: A resolvable URI reference to a resource. Media Type Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry. Media Type: Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry. Base64 The Base64 alphabet in RFC 2045 - aligned with XSD. Base64: The Base64 alphabet in RFC 2045 - aligned with XSD. File Name Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded. File Name: Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded. Media Type Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry. Media Type: Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Resource Universally Unique Identifier A globally unique identifier that can be used to reference this defined resource elsewhere in an OSCAL document. A UUID should be consistantly used for a given resource across revisions of the document. Resource Universally Unique Identifier: A globally unique identifier that can be used to reference this defined resource elsewhere in an OSCAL document. A UUID should be consistantly used for a given resource across revisions of the document. Property An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values in some OSCAL formats. Property: An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values in some OSCAL formats. Property Universally Unique Identifier A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document. Property Universally Unique Identifier: A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document. Property Name A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object. Property Name: A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object. Property Namespace A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name. Property Namespace: A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name. Property Class A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns. Property Class: A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns. Annotated Property An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair with optional explanatory remarks. The value of an annotated property is a simple scalar value. Annotated Property: An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair with optional explanatory remarks. The value of an annotated property is a simple scalar value. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Annotated Property Name A textual label that uniquely identifies a specific attribute, characteristic, or quality of the annotated property's containing object. Annotated Property Name: A textual label that uniquely identifies a specific attribute, characteristic, or quality of the annotated property's containing object. Annotated Property Universally Unique Identifier A unique identifier that can be used to reference this annotated property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document. Annotated Property Universally Unique Identifier: A unique identifier that can be used to reference this annotated property elsewhere in an OSCAL document. A UUID should be consistantly used for a given location across revisions of the document. Annotated Property Namespace A namespace qualifying the annotated property's name. This allows different organizations to associate distinct semantics with the same name. Annotated Property Namespace: A namespace qualifying the annotated property's name. This allows different organizations to associate distinct semantics with the same name. Annotated Property Value Indicates the value of the attribute, characteristic, or quality. Annotated Property Value: Indicates the value of the attribute, characteristic, or quality. Link A reference to a local or remote resource Link: A reference to a local or remote resource Hypertext Reference A resolvable URL reference to a resource. Hypertext Reference: A resolvable URL reference to a resource. Relation Describes the type of relationship provided by the link. This can be an indicator of the link's purpose. Relation: Describes the type of relationship provided by the link. This can be an indicator of the link's purpose. Media Type Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry. Media Type: Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry. Responsible Party A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object. Responsible Party: A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Responsible Role The role that the party is responsible for. Responsible Role: The role that the party is responsible for. Responsible Role A reference to one or more roles with responsibility for performing a function relative to the containing object. Responsible Role: A reference to one or more roles with responsibility for performing a function relative to the containing object. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Responsible Role ID The role that is responsible for the business function. Responsible Role ID: The role that is responsible for the business function. Hash A representation of a cryptographic digest generated over a resource using a specified hash algorithm. Hash: A representation of a cryptographic digest generated over a resource using a specified hash algorithm. Hash algorithm Method by which a hash is derived Hash algorithm: Method by which a hash is derived Publication Timestamp The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included. Publication Timestamp: The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included. Last Modified Timestamp The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included. Last Modified Timestamp: The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included. Document Version A string used to distinguish the current version of the document from other previous (and future) versions. Document Version: A string used to distinguish the current version of the document from other previous (and future) versions. OSCAL version The OSCAL model version the document was authored against. OSCAL version: The OSCAL model version the document was authored against. Email Address An email address as defined by RFC 5322 Section 3.4.1. Email Address: An email address as defined by RFC 5322 Section 3.4.1. Telephone Number Contact number by telephone. Telephone Number: Contact number by telephone. type flag Indicates the type of phone number. type flag: Indicates the type of phone number. Address A postal address for the location. Address: A postal address for the location. City City, town or geographical region for the mailing address. City: City, town or geographical region for the mailing address. State State, province or analogous geographical region for mailing address State: State, province or analogous geographical region for mailing address Postal Code Postal or ZIP code for mailing address Postal Code: Postal or ZIP code for mailing address Country Code The ISO 3166-1 alpha-2 country code for the mailing address. Country Code: The ISO 3166-1 alpha-2 country code for the mailing address. Address line A single line of an address. Address line: A single line of an address. Document Identifier A document identifier qualified by an identifier type. Document Identifier: A document identifier qualified by an identifier type. Document Identification Scheme Qualifies the kind of document identifier. Document Identification Scheme: Qualifies the kind of document identifier. Component A defined component that can be part of an implemented system. Component: A defined component that can be part of an implemented system. Status Describes the operational status of the system component. Status: Describes the operational status of the system component. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. State The operational status. State: The operational status. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Component Identifier The unique identifier for the component. Component Identifier: The unique identifier for the component. Component Type A category describing the purpose of the component. Component Type: A category describing the purpose of the component. Service Protocol Information Information about the protocol used to provide a service. Service Protocol Information: Information about the protocol used to provide a service. Service Protocol Information Universally Unique Identifier A globally unique identifier that can be used to reference this service protocol entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. Service Protocol Information Universally Unique Identifier: A globally unique identifier that can be used to reference this service protocol entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. Protocol Name The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. Protocol Name: The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. Port Range Where applicable this is the IPv4 port range on which the service operates. Port Range: Where applicable this is the IPv4 port range on which the service operates. Start Indicates the starting port number in a port range Start: Indicates the starting port number in a port range End Indicates the ending port number in a port range End: Indicates the ending port number in a port range Transport Indicates the transport type. Transport: Indicates the transport type. Inventory Item A single managed inventory item within the system. Inventory Item: A single managed inventory item within the system. Implemented Component The set of components that are implemented in a given system inventory item. Implemented Component: The set of components that are implemented in a given system inventory item. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Component Universally Unique Identifier Reference A reference to a component that is implemented as part of an inventory item. Component Universally Unique Identifier Reference: A reference to a component that is implemented as part of an inventory item. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Inventory Item Universally Unique Identifier A globally unique identifier that can be used to reference this inventory item entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. Inventory Item Universally Unique Identifier: A globally unique identifier that can be used to reference this inventory item entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. System Identification A unique identifier for the system described by this system security plan. System Identification: A unique identifier for the system described by this system security plan. Identification System Type Identifies the identification system from which the provided identifier was assigned. Identification System Type: Identifies the identification system from which the provided identifier was assigned. Import System Security Plan Used by the assessment plan and POA&M to import information about the system. Import System Security Plan: Used by the assessment plan and POA&M to import information about the system. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. System Security Plan Reference >A resolvable URL reference to the system security plan for the system being assessed. System Security Plan Reference: >A resolvable URL reference to the system security plan for the system being assessed. Task Represents a scheduled event or milestone, which may be associated with a series of assessment actions. Task: Represents a scheduled event or milestone, which may be associated with a series of assessment actions. Event Timing The timing under which the task is intended to occur. Event Timing: The timing under which the task is intended to occur. On Date Condition The task is intended to occur on the specified date. On Date Condition: The task is intended to occur on the specified date. On Date Condition The task must occur on the specified date. On Date Condition: The task must occur on the specified date. On Date Range Condition The task is intended to occur within the specified date range. On Date Range Condition: The task is intended to occur within the specified date range. Start Date Condition The task must occur on or after the specified date. Start Date Condition: The task must occur on or after the specified date. End Date Condition The task must occur on or before the specified date. End Date Condition: The task must occur on or before the specified date. Frequency Condition The task is intended to occur at the specified frequency. Frequency Condition: The task is intended to occur at the specified frequency. Period The task must occur after the specified period has elapsed. Period: The task must occur after the specified period has elapsed. Time Unit The unit of time for the period. Time Unit: The unit of time for the period. Task Dependency Used to indicate that a task is dependant on another task. Task Dependency: Used to indicate that a task is dependant on another task. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Task Universally Unique Identifier Reference References a unique task by UUID. Task Universally Unique Identifier Reference: References a unique task by UUID. Associated Activity Identifies an individual activity to be performed as part of an action. Associated Activity: Identifies an individual activity to be performed as part of an action. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Activity Universally Unique Identifier Reference References an activity defined in the list of activities. Activity Universally Unique Identifier Reference: References an activity defined in the list of activities. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Task Universally Unique Identifier Uniquely identifies this assessment task. Task Universally Unique Identifier: Uniquely identifies this assessment task. Task Type The type of task. Task Type: The type of task. Assessment Subject Placeholder Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log. Assessment Subject Placeholder: Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log. Assessment Subject Source Assessment subjects will be identified while conducting the referenced activity-instance. Assessment Subject Source: Assessment subjects will be identified while conducting the referenced activity-instance. Task Universally Unique Identifier Uniquely identifies an assessment activity to be performed as part of the event. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. A UUID should be consistantly used for this schedule across revisions of the document. Task Universally Unique Identifier: Uniquely identifies an assessment activity to be performed as part of the event. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. A UUID should be consistantly used for this schedule across revisions of the document. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Assessment Subject Placeholder Universally Unique Identifier Uniquely identifies a set of assessment subjects that will be identified by a task or an activity that is part of a task. Assessment Subject Placeholder Universally Unique Identifier: Uniquely identifies a set of assessment subjects that will be identified by a task or an activity that is part of a task. Subject of Assessment Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope. Subject of Assessment: Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope. All A key word to indicate all. All: A key word to indicate all. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Subject Type Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement. Subject Type: Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement. Select Assessment Subject Identifies a set of assessment subjects to include/exclude by UUID. Select Assessment Subject: Identifies a set of assessment subjects to include/exclude by UUID. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. UUID Reference A pointer to a component, inventory-item, location, party, user, or resource using it's UUID. UUID Reference: A pointer to a component, inventory-item, location, party, user, or resource using it's UUID. Identifies the Subject A pointer to a resource based on its universally unique identifier (UUID). Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. Identifies the Subject: A pointer to a resource based on its universally unique identifier (UUID). Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. UUID Reference A pointer to a component, inventory-item, location, party, user, or resource using it's UUID. UUID Reference: A pointer to a component, inventory-item, location, party, user, or resource using it's UUID. Universally Unique Identifier Reference Type Used to indicate the type of object pointed to by the uuid-ref. Universally Unique Identifier Reference Type: Used to indicate the type of object pointed to by the uuid-ref. Objective Describes an individual observation. Objective: Describes an individual observation. Observation Method Identifies how the observation was made. Observation Method: Identifies how the observation was made. Observation Type Identifies the nature of the observation. More than one may be used to further qualify and enable filtering. Observation Type: Identifies the nature of the observation. More than one may be used to further qualify and enable filtering. Relevant Evidence Links this observation to relevant evidence. Relevant Evidence: Links this observation to relevant evidence. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Relevant Evidence Reference >A resolvable URL reference to relevant evidence. Relevant Evidence Reference: >A resolvable URL reference to relevant evidence. collected field Date/time stamp identifying when the finding information was collected. collected field: Date/time stamp identifying when the finding information was collected. expires field Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios. expires field: Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Observation Universally Unique Identifier Uniquely identifies this observation. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given observation across revisions. Observation Universally Unique Identifier: Uniquely identifies this observation. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given observation across revisions. Origin Identifies the source of the finding, such as a tool, interviewed person, or activity. Origin: Identifies the source of the finding, such as a tool, interviewed person, or activity. Originating Actor The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool. Originating Actor: The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool. Actor Type The kind of actor. Actor Type: The kind of actor. Actor UUID Reference A pointer to the tool or person based on the associated type. Actor UUID Reference: A pointer to the tool or person based on the associated type. Actor Role For a party, this can optionally be used to specify the role the actor was performing. Actor Role: For a party, this can optionally be used to specify the role the actor was performing. Task Reference Identifies an individual task for which the containing object is a consequence of. Task Reference: Identifies an individual task for which the containing object is a consequence of. Identified Subject Used to detail assessment subjects that were identfied by this task. Identified Subject: Used to detail assessment subjects that were identfied by this task. Assessment Subject Placeholder Universally Unique Identifier Reference References a unique assessment subject placeholder defined by this task. Assessment Subject Placeholder Universally Unique Identifier Reference: References a unique assessment subject placeholder defined by this task. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Task Universally Unique Identifier Reference References a unique task by UUID. Task Universally Unique Identifier Reference: References a unique task by UUID. Threat ID A pointer, by ID, to an externally-defined threat. Threat ID: A pointer, by ID, to an externally-defined threat. Threat Type Identification System Specifies the source of the threat information. Threat Type Identification System: Specifies the source of the threat information. Threat Information Resource Reference An optional location for the threat data, from which this ID originates. Threat Information Resource Reference: An optional location for the threat data, from which this ID originates. Identified Risk An identified risk. Identified Risk: An identified risk. Status Describes the status of the associated risk. Status: Describes the status of the associated risk. Mitigating Factor Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP. Mitigating Factor: Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP. Mitigating Factor Universally Unique Identifier Uniquely identifies this mitigating factor. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given mitigating factor across revisions. Mitigating Factor Universally Unique Identifier: Uniquely identifies this mitigating factor. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given mitigating factor across revisions. Implementation UUID Points to an implementation statement in the SSP. Implementation UUID: Points to an implementation statement in the SSP. Risk Resolution Deadline The date/time by which the risk must be resolved. Risk Resolution Deadline: The date/time by which the risk must be resolved. Risk Log A log of all risk-related actions taken. Risk Log: A log of all risk-related actions taken. Risk Log Entry Identifies the result of an action and/or task that occured as part of executing an assessment plan or an assessment event that occured in producing the assessment results. Risk Log Entry: Identifies the result of an action and/or task that occured as part of executing an assessment plan or an assessment event that occured in producing the assessment results. Start Identifies the start date and time of an event. Start: Identifies the start date and time of an event. End Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time. End: Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time. Action Reference Identifies an individual risk response that this log entry is for. Action Reference: Identifies an individual risk response that this log entry is for. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Response Universally Unique Identifier Reference References a unique risk response by UUID. Response Universally Unique Identifier Reference: References a unique risk response by UUID. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Risk Log Entry Universally Unique Identifier Uniquely identifies an assessment event. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. A UUID should be consistantly used for this schedule across revisions of the document. Risk Log Entry Universally Unique Identifier: Uniquely identifies an assessment event. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. A UUID should be consistantly used for this schedule across revisions of the document. Related Observation Relates the finding to a set of referenced observations that were used to determine the finding. Related Observation: Relates the finding to a set of referenced observations that were used to determine the finding. Observation Universally Unique Identifier Reference References an observation defined in the list of observations. Observation Universally Unique Identifier Reference: References an observation defined in the list of observations. Risk Universally Unique Identifier Uniquely identifies this risk. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given risk across revisions. Risk Universally Unique Identifier: Uniquely identifies this risk. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given risk across revisions. Logged By Used to indicate who created a log entry in what role. Logged By: Used to indicate who created a log entry in what role. Party UUID Reference A pointer to the party who is making the log entry. Party UUID Reference: A pointer to the party who is making the log entry. Actor Role A point to the role-id of the role in which the party is making the log entry. Actor Role: A point to the role-id of the role in which the party is making the log entry. Risk Status Describes the status of the associated risk. Risk Status: Describes the status of the associated risk. Characterization A collection of descriptive data about the containing object from a specific origin. Characterization: A collection of descriptive data about the containing object from a specific origin. Facet An individual characteristic that is part of a larger set produced by the same actor. Facet: An individual characteristic that is part of a larger set produced by the same actor. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Facet Name The name of the risk metric within the specified system. Facet Name: The name of the risk metric within the specified system. Naming System Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash. Naming System: Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash. Facet Value Indicates the value of the facet. Facet Value: Indicates the value of the facet. Risk Response Describes either recommended or an actual plan for addressing the risk. Risk Response: Describes either recommended or an actual plan for addressing the risk. Required Asset Identifies an asset required to achieve remediation. Required Asset: Identifies an asset required to achieve remediation. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Required Universally Unique Identifier Uniquely identifies this required asset. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given required asset across revisions. Required Universally Unique Identifier: Uniquely identifies this required asset. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given required asset across revisions. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. Remediation Universally Unique Identifier Uniquely identifies this remediation. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given remediation across revisions. Remediation Universally Unique Identifier: Uniquely identifies this remediation. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. Once assigned, a UUID should be consistantly used for a given remediation across revisions. Remediation Intent Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner. Remediation Intent: Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner. Plan of Action and Milestones (POA&M) A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP. Plan of Action and Milestones (POA&M): A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP. POA&M Universally Unique Identifier Uniquely identifies this POA&M. This UUID must be changed each time the content of the POA&M changes. POA&M Universally Unique Identifier: Uniquely identifies this POA&M. This UUID must be changed each time the content of the POA&M changes. Local Definitions Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M. Local Definitions: Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. POA&M Item Describes an individual POA&M item. POA&M Item: Describes an individual POA&M item. Origin Identifies the source of the finding, such as a tool or person. Origin: Identifies the source of the finding, such as a tool or person. Related Observation Relates the poam-item to a set of referenced observations that were used to determine the finding. Related Observation: Relates the poam-item to a set of referenced observations that were used to determine the finding. Observation Universally Unique Identifier Reference References an observation defined in the list of observations. Observation Universally Unique Identifier Reference: References an observation defined in the list of observations. Associated Risk Relates the finding to a set of referenced risks that were used to determine the finding. Associated Risk: Relates the finding to a set of referenced risks that were used to determine the finding. Risk Universally Unique Identifier Reference References an risk defined in the list of risks. Risk Universally Unique Identifier Reference: References an risk defined in the list of risks. Remarks Additional commentary on the containing object. Remarks: Additional commentary on the containing object. POA&M Item Universally Unique Identifier Uniquely identifies the POA&M entry. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. A UUID should be consistantly used for a given POA&M item across revisions of the document. POA&M Item Universally Unique Identifier: Uniquely identifies the POA&M entry. This UUID may be referenced elsewhere in an OSCAL document when refering to this information. A UUID should be consistantly used for a given POA&M item across revisions of the document. The content model is the same as blockElementType, but line endings need to be preserved, since this is preformatted. The content model is the same as blockElementType, but line endings need to be preserved, since this is preformatted. The xs:dateTime with a required timezone. An email address Need a better pattern. A URI Requires a scheme with colon per RFC 3986 A URI reference, such as a relative URL A Type 4 ('random' or 'pseudorandom' UUID per RFC 4122 A sequence of 8-4-4-4-12 hex digits, with extra constraints in the 13th and 17-18th places for version 4