OSCAL Unified Model of Models

1.0.6

oscal-complete

This format represents a combination of all of the OSCAL models.

catalog profile component-definition system-security-plan assessment-plan assessment-results plan-of-action-and-milestones

Catalog

A collection of controls. Catalog: A collection of controls.

Catalog Universally Unique Identifier

A globally unique identifier with cross-instance scope for this catalog instance. This UUID should be changed when this document is revised. Catalog Universally Unique Identifier: A globally unique identifier with cross-instance scope for this catalog instance. This UUID should be changed when this document is revised.

Control Group

A group of controls, or of groups of controls. Control Group: A group of controls, or of groups of controls.

Group Title

A name given to the group, which may be used by a tool for display and navigation. Group Title: A name given to the group, which may be used by a tool for display and navigation.

Group Identifier

A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined group elsewhere in in this and other OSCAL instances (e.g., profiles). This id should be assigned per-subject, which means it should be consistently used to identify the same group across revisions of the document. Group Identifier: A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined group elsewhere in in this and other OSCAL instances (e.g., profiles). This id should be assigned per-subject, which means it should be consistently used to identify the same group across revisions of the document.

Group Class

A textual label that provides a sub-type or characterization of the group. Group Class: A textual label that provides a sub-type or characterization of the group.

Control

A structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance. Control: A structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.

Control Title

A name given to the control, which may be used by a tool for display and navigation. Control Title: A name given to the control, which may be used by a tool for display and navigation.

Control Identifier

A human-oriented, locally unique identifier with instance scope that can be used to reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This id should be assigned per-subject, which means it should be consistently used to identify the same control across revisions of the document. Control Identifier: A human-oriented, locally unique identifier with instance scope that can be used to reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This id should be assigned per-subject, which means it should be consistently used to identify the same control across revisions of the document.

Control Class

A textual label that provides a sub-type or characterization of the control. Control Class: A textual label that provides a sub-type or characterization of the control.

Part

A partition of a control's definition or a child of another part. Part: A partition of a control's definition or a child of another part.

Part Title

A name given to the part, which may be used by a tool for display and navigation. Part Title: A name given to the part, which may be used by a tool for display and navigation.

Part Identifier

A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined part elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Part Identifier: A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined part elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Part Name

A textual label that uniquely identifies the part's semantic type. Part Name: A textual label that uniquely identifies the part's semantic type.

Part Namespace

A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name. Part Namespace: A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.

Part Class

A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns. Part Class: A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.

Parameter

Parameters provide a mechanism for the dynamic assignment of value(s) in a control. Parameter: Parameters provide a mechanism for the dynamic assignment of value(s) in a control.

Parameter Label

A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned. Parameter Label: A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.

Parameter Usage Description

Describes the purpose and use of a parameter Parameter Usage Description: Describes the purpose and use of a parameter

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Parameter Identifier

A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Parameter Identifier: A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Parameter Class

A textual label that provides a characterization of the parameter. Parameter Class: A textual label that provides a characterization of the parameter.

Depends on

**(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used. Depends on: **(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used.

Constraint

A formal or informal expression of a constraint or test Constraint: A formal or informal expression of a constraint or test

Constraint Description

A textual summary of the constraint to be applied. Constraint Description: A textual summary of the constraint to be applied.

Constraint Test

A test expression which is expected to be evaluated by a tool. Constraint Test: A test expression which is expected to be evaluated by a tool.

Constraint test

A formal (executable) expression of a constraint Constraint test: A formal (executable) expression of a constraint

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Guideline

A prose statement that provides a recommendation for the use of a parameter. Guideline: A prose statement that provides a recommendation for the use of a parameter.

Parameter Value

A parameter value or set of values. Parameter Value: A parameter value or set of values.

Selection

Presenting a choice among alternatives Selection: Presenting a choice among alternatives

Choice

A value selection among several such options. Choice: A value selection among several such options.

Parameter Cardinality

Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted. Parameter Cardinality: Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.

Include All

Include all controls from the imported catalog or profile resources. Include All: Include all controls from the imported catalog or profile resources.

Publication metadata

Provides information about the publication and availability of the containing document. Publication metadata: Provides information about the publication and availability of the containing document.

Document Title

A name given to the document, which may be used by a tool for display and navigation. Document Title: A name given to the document, which may be used by a tool for display and navigation.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Revision History Entry

An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first). Revision History Entry: An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).

Document Title

A name given to the document revision, which may be used by a tool for display and navigation. Document Title: A name given to the document revision, which may be used by a tool for display and navigation.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Location

A location, with associated metadata that can be referenced. Location: A location, with associated metadata that can be referenced.

Location Title

A name given to the location, which may be used by a tool for display and navigation. Location Title: A name given to the location, which may be used by a tool for display and navigation.

Location URL

The uniform resource locator (URL) for a web site or Internet presence associated with the location. Location URL: The uniform resource locator (URL) for a web site or Internet presence associated with the location.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Location Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined location elsewhere in this or other OSCAL instances. The locally defined UUID of the location can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Location Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined location elsewhere in this or other OSCAL instances. The locally defined UUID of the location can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Location Reference

A machine-oriented identifier reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). Location Reference: A machine-oriented identifier reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Party (organization or person)

A responsible entity which is either a person or an organization. Party (organization or person): A responsible entity which is either a person or an organization.

Party Name

The full name of the party. This is typically the legal name associated with the party. Party Name: The full name of the party. This is typically the legal name associated with the party.

Party Short Name

A short common name, abbreviation, or acronym for the party. Party Short Name: A short common name, abbreviation, or acronym for the party.

Party External Identifier

An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID) Party External Identifier: An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID)

External Identifier Schema

Indicates the type of external identifier. External Identifier Schema: Indicates the type of external identifier.

Organizational Affiliation

A machine-oriented identifier reference to another party (person or organization) that this subject is associated with. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). Organizational Affiliation: A machine-oriented identifier reference to another party (person or organization) that this subject is associated with. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Party Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined party elsewhere in this or other OSCAL instances. The locally defined UUID of the party can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Party Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined party elsewhere in this or other OSCAL instances. The locally defined UUID of the party can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Party Type

A category describing the kind of party the object describes. Party Type: A category describing the kind of party the object describes.

Party Reference

A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). Party Reference: A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Role

Defines a function assumed or expected to be assumed by a party in a specific situation. Role: Defines a function assumed or expected to be assumed by a party in a specific situation.

Role Title

A name given to the role, which may be used by a tool for display and navigation. Role Title: A name given to the role, which may be used by a tool for display and navigation.

Role Short Name

A short common name, abbreviation, or acronym for the role. Role Short Name: A short common name, abbreviation, or acronym for the role.

Role Description

A summary of the role's purpose and associated responsibilities. Role Description: A summary of the role's purpose and associated responsibilities.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Role Identifier

A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined role elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL instance must be referenced in the context of the containing resource (e.g., import, import-component-definition, import-profile, import-ssp or import-ap). This ID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Role Identifier: A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined role elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL instance must be referenced in the context of the containing resource (e.g., import, import-component-definition, import-profile, import-ssp or import-ap). This ID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Role Identifier Reference

A human-oriented identifier reference to roles served by the user. Role Identifier Reference: A human-oriented identifier reference to roles served by the user.

Back matter

A collection of resources, which may be included directly or by reference. Back matter: A collection of resources, which may be included directly or by reference.

Resource

A resource associated with content in the containing document. A resource may be directly included in the document base64 encoded or may point to one or more equivalent internet resources. Resource: A resource associated with content in the containing document. A resource may be directly included in the document base64 encoded or may point to one or more equivalent internet resources.

Resource Title

A name given to the resource, which may be used by a tool for display and navigation. Resource Title: A name given to the resource, which may be used by a tool for display and navigation.

Resource Description

A short summary of the resource used to indicate the purpose of the resource. Resource Description: A short summary of the resource used to indicate the purpose of the resource.

Citation

A citation consisting of end note text and optional structured bibliographic data. Citation: A citation consisting of end note text and optional structured bibliographic data.

Citation Text

A line of citation text. Citation Text: A line of citation text.

Resource link

A pointer to an external resource with an optional hash for verification and change detection. Resource link: A pointer to an external resource with an optional hash for verification and change detection.

Hypertext Reference

A resolvable URI reference to a resource. Hypertext Reference: A resolvable URI reference to a resource.

Media Type

Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry. Media Type: Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.

Base64

The Base64 alphabet in RFC 2045 - aligned with XSD. Base64: The Base64 alphabet in RFC 2045 - aligned with XSD.

File Name

Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded. File Name: Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.

Media Type

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Resource Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined resource elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Resource Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined resource elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Property

An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values. Property: An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Property Name

A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object. Property Name: A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

Property Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Property Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Property Namespace

A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name. Property Namespace: A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

Property Value

Indicates the value of the attribute, characteristic, or quality. Property Value: Indicates the value of the attribute, characteristic, or quality.

Property Class

A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns. Property Class: A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

Link

A reference to a local or remote resource Link: A reference to a local or remote resource

Link Text

A textual label to associate with the link, which may be used for presentation in a tool. Link Text: A textual label to associate with the link, which may be used for presentation in a tool.

Hypertext Reference

A resolvable URL reference to a resource. Hypertext Reference: A resolvable URL reference to a resource.

Relation

Describes the type of relationship provided by the link. This can be an indicator of the link's purpose. Relation: Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.

Media Type

Responsible Party

A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object. Responsible Party: A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Responsible Role

A human-oriented identifier reference to roles served by the user. Responsible Role: A human-oriented identifier reference to roles served by the user.

Responsible Role

A reference to one or more roles with responsibility for performing a function relative to the containing object. Responsible Role: A reference to one or more roles with responsibility for performing a function relative to the containing object.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Responsible Role ID

A human-oriented identifier reference to roles responsible for the business function. Responsible Role ID: A human-oriented identifier reference to roles responsible for the business function.

Hash

A representation of a cryptographic digest generated over a resource using a specified hash algorithm. Hash: A representation of a cryptographic digest generated over a resource using a specified hash algorithm.

Hash algorithm

Method by which a hash is derived Hash algorithm: Method by which a hash is derived

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Publication Timestamp

The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included. Publication Timestamp: The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.

Last Modified Timestamp

The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included. Last Modified Timestamp: The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.

Document Version

A string used to distinguish the current version of the document from other previous (and future) versions. Document Version: A string used to distinguish the current version of the document from other previous (and future) versions.

OSCAL version

The OSCAL model version the document was authored against. OSCAL version: The OSCAL model version the document was authored against.

Email Address

An email address as defined by RFC 5322 Section 3.4.1. Email Address: An email address as defined by RFC 5322 Section 3.4.1.

Telephone Number

Contact number by telephone. Telephone Number: Contact number by telephone.

type flag

Indicates the type of phone number. type flag: Indicates the type of phone number.

Address

A postal address for the location. Address: A postal address for the location.

City

City, town or geographical region for the mailing address. City: City, town or geographical region for the mailing address.

State

State, province or analogous geographical region for mailing address State: State, province or analogous geographical region for mailing address

Postal Code

Postal or ZIP code for mailing address Postal Code: Postal or ZIP code for mailing address

Country Code

The ISO 3166-1 alpha-2 country code for the mailing address. Country Code: The ISO 3166-1 alpha-2 country code for the mailing address.

Address Type

Indicates the type of address. Address Type: Indicates the type of address.

Address line

A single line of an address. Address line: A single line of an address.

Document Identifier

A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element. Document Identifier: A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.

Document Identification Scheme

Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters. Document Identification Scheme: Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.

Profile

Each OSCAL profile is defined by a Profile element Profile: Each OSCAL profile is defined by a Profile element

Profile Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this profile elsewhere in this or other OSCAL instances. The locally defined UUID of the profile can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This identifier should be assigned per-subject, which means it should be consistently used to identify the same profile across revisions of the document. Profile Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this profile elsewhere in this or other OSCAL instances. The locally defined UUID of the profile can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This identifier should be assigned per-subject, which means it should be consistently used to identify the same profile across revisions of the document.

Import resource

The import designates a catalog or profile to be included (referenced and potentially modified) by this profile. The import also identifies which controls to select using the include-all, include-controls, and exclude-controls directives. Import resource: The import designates a catalog or profile to be included (referenced and potentially modified) by this profile. The import also identifies which controls to select using the include-all, include-controls, and exclude-controls directives.

Catalog or Profile Reference

A resolvable URL reference to the base catalog or profile that this profile is tailoring. Catalog or Profile Reference: A resolvable URL reference to the base catalog or profile that this profile is tailoring.

Merge controls

A Merge element provides structuring directives that drive how controls are organized after resolution. Merge controls: A Merge element provides structuring directives that drive how controls are organized after resolution.

Combination rule

A Combine element defines how to combine multiple (competing) versions of the same control. Combination rule: A Combine element defines how to combine multiple (competing) versions of the same control.

Combination method

How clashing controls should be handled Combination method: How clashing controls should be handled

Flat

Use the flat structuring method. Flat: Use the flat structuring method.

As-Is Structuring Directive

An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes. As-Is Structuring Directive: An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes.

Custom grouping

A Custom element frames a structure for embedding represented controls in resolution. Custom grouping: A Custom element frames a structure for embedding represented controls in resolution.

Control group

A group of (selected) controls or of groups of controls Control group: A group of (selected) controls or of groups of controls

Group Title

A name given to the group, which may be used by a tool for display and navigation. Group Title: A name given to the group, which may be used by a tool for display and navigation.

Group Identifier

A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined group elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same group across revisions of the document. Group Identifier: A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined group elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same group across revisions of the document.

Group Class

A textual label that provides a sub-type or characterization of the group. Group Class: A textual label that provides a sub-type or characterization of the group.

Modify controls

Set parameters or amend controls in resolution Modify controls: Set parameters or amend controls in resolution

Parameter Setting

A parameter setting, to be propagated to points of insertion Parameter Setting: A parameter setting, to be propagated to points of insertion

Parameter Label

Parameter Usage Description

Describes the purpose and use of a parameter Parameter Usage Description: Describes the purpose and use of a parameter

Parameter ID

A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Parameter ID: A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Parameter Class

A textual label that provides a characterization of the parameter. Parameter Class: A textual label that provides a characterization of the parameter.

Depends on

Select controls

Specifies which controls to use in the containing context. Select controls: Specifies which controls to use in the containing context.

Order

A designation of how a selection of controls in a profile is to be ordered. Order: A designation of how a selection of controls in a profile is to be ordered.

Call

Call a control by its ID Call: Call a control by its ID

Match Controls by Identifier

Match Controls by Identifier:

Match Controls by Pattern

Select controls by (regular expression) match on ID Match Controls by Pattern: Select controls by (regular expression) match on ID

Pattern

A glob expression matching the IDs of one or more controls to be selected. Pattern: A glob expression matching the IDs of one or more controls to be selected.

Include contained controls with control

When a control is included, whether its child (dependent) controls are also included. Include contained controls with control: When a control is included, whether its child (dependent) controls are also included.

Alteration

An Alter element specifies changes to be made to an included control when a profile is resolved. Alteration: An Alter element specifies changes to be made to an included control when a profile is resolved.

Control Identifier Reference

A human-oriented identifier reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). Control Identifier Reference: A human-oriented identifier reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).

Removal

Specifies objects to be removed from a control based on specific aspects of the object that must all match. Removal: Specifies objects to be removed from a control based on specific aspects of the object that must all match.

Reference by (assigned) name

Identify items to remove by matching their assigned name Reference by (assigned) name: Identify items to remove by matching their assigned name

Reference by class

Identify items to remove by matching their class. Reference by class: Identify items to remove by matching their class.

Reference by ID

Identify items to remove indicated by their id. Reference by ID: Identify items to remove indicated by their id.

Item Name Reference

Identify items to remove by the name of the item's information element name, e.g. title or prop Item Name Reference: Identify items to remove by the name of the item's information element name, e.g. title or prop

Item Namespace Reference

Identify items to remove by the item's ns, which is the namespace associated with a part, or prop. Item Namespace Reference: Identify items to remove by the item's ns, which is the namespace associated with a part, or prop.

Addition

Specifies contents to be added into controls, in resolution Addition: Specifies contents to be added into controls, in resolution

Title Change

A name given to the control, which may be used by a tool for display and navigation. Title Change: A name given to the control, which may be used by a tool for display and navigation.

Position

Where to add the new content with respect to the targeted element (beside it or inside it) Position: Where to add the new content with respect to the targeted element (beside it or inside it)

Reference by ID

Target location of the addition. Reference by ID: Target location of the addition.

Component Definition

A collection of component descriptions, which may optionally be grouped by capability. Component Definition: A collection of component descriptions, which may optionally be grouped by capability.

Component Definition Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component definition elsewhere in this or other OSCAL instances. The locally defined UUID of the component definition can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Component Definition Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component definition elsewhere in this or other OSCAL instances. The locally defined UUID of the component definition can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Import Component Definition

Loads a component definition from another resource. Import Component Definition: Loads a component definition from another resource.

Hyperlink Reference

A link to a resource that defines a set of components and/or capabilities to import into this collection. Hyperlink Reference: A link to a resource that defines a set of components and/or capabilities to import into this collection.

Component

A defined component that can be part of an implemented system. Component: A defined component that can be part of an implemented system.

Component Title

A human readable name for the component. Component Title: A human readable name for the component.

Component Description

A description of the component, including information about its function. Component Description: A description of the component, including information about its function.

Purpose

A summary of the technological or business purpose of the component. Purpose: A summary of the technological or business purpose of the component.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Component Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Component Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Component Type

A category describing the purpose of the component. Component Type: A category describing the purpose of the component.

Capability

A grouping of other components and/or capabilities. Capability: A grouping of other components and/or capabilities.

Capability Description

A summary of the capability. Capability Description: A summary of the capability.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Capability Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this capability elsewhere in this or other OSCAL instances. The locally defined UUID of the capability can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Capability Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this capability elsewhere in this or other OSCAL instances. The locally defined UUID of the capability can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Capability Name

The capability's human-readable name. Capability Name: The capability's human-readable name.

Incorporates Component

TBD Incorporates Component: TBD

Component Description

A description of the component, including information about its function. Component Description: A description of the component, including information about its function.

Component Reference

A machine-oriented identifier reference to a component. Component Reference: A machine-oriented identifier reference to a component.

Control Implementation Set

Defines how the component or capability supports a set of controls. Control Implementation Set: Defines how the component or capability supports a set of controls.

Control Implementation Description

A description of how the specified set of controls are implemented for the containing component or capability. Control Implementation Description: A description of how the specified set of controls are implemented for the containing component or capability.

Control Implementation Set Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a set of implemented controls elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation set can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Control Implementation Set Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a set of implemented controls elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation set can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Source Resource Reference

A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition. Source Resource Reference: A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition.

Control Implementation

Describes how the containing component or capability implements an individual control. Control Implementation: Describes how the containing component or capability implements an individual control.

Control Implementation Description

A suggestion for how the specified control may be implemented if the containing component or capability is instantiated in a system security plan. Control Implementation Description: A suggestion for how the specified control may be implemented if the containing component or capability is instantiated in a system security plan.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Control Implementation Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a specific control implementation elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Control Implementation Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a specific control implementation elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Control Identifier Reference

Control Statement Implementation

Identifies which statements within a control are addressed. Control Statement Implementation: Identifies which statements within a control are addressed.

Statement Implementation Description

A summary of how the containing control statement is implemented by the component or capability. Statement Implementation Description: A summary of how the containing control statement is implemented by the component or capability.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Control Statement Reference

A human-oriented identifier reference to a control statement. Control Statement Reference: A human-oriented identifier reference to a control statement.

Control Statement Reference Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). Control Statement Reference Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).

Component

A defined component that can be part of an implemented system. Component: A defined component that can be part of an implemented system.

Component Title

A human readable name for the system component. Component Title: A human readable name for the system component.

Component Description

A description of the component, including information about its function. Component Description: A description of the component, including information about its function.

Purpose

A summary of the technological or business purpose of the component. Purpose: A summary of the technological or business purpose of the component.

Status

Describes the operational status of the system component. Status: Describes the operational status of the system component.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

State

The operational status. State: The operational status.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Component Identifier

Component Type

A category describing the purpose of the component. Component Type: A category describing the purpose of the component.

Service Protocol Information

Information about the protocol used to provide a service. Service Protocol Information: Information about the protocol used to provide a service.

Protocol Title

A human readable name for the protocol (e.g., Transport Layer Security). Protocol Title: A human readable name for the protocol (e.g., Transport Layer Security).

Service Protocol Information Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Service Protocol Information Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Protocol Name

The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. Protocol Name: The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry.

Port Range

Where applicable this is the IPv4 port range on which the service operates. Port Range: Where applicable this is the IPv4 port range on which the service operates.

Start

Indicates the starting port number in a port range Start: Indicates the starting port number in a port range

End

Indicates the ending port number in a port range End: Indicates the ending port number in a port range

Transport

Indicates the transport type. Transport: Indicates the transport type.

Implementation Status

Indicates the degree to which the a given control is implemented. Implementation Status: Indicates the degree to which the a given control is implemented.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Implementation State

Identifies the implementation status of the control or control objective. Implementation State: Identifies the implementation status of the control or control objective.

System User

A type of user that interacts with the system based on an associated role. System User: A type of user that interacts with the system based on an associated role.

User Title

A name given to the user, which may be used by a tool for display and navigation. User Title: A name given to the user, which may be used by a tool for display and navigation.

User Short Name

A short common name, abbreviation, or acronym for the user. User Short Name: A short common name, abbreviation, or acronym for the user.

User Description

A summary of the user's purpose within the system. User Description: A summary of the user's purpose within the system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

User Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. User Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Privilege

Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege. Privilege: Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.

Privilege Title

A human readable name for the privilege. Privilege Title: A human readable name for the privilege.

Privilege Description

A summary of the privilege's purpose within the system. Privilege Description: A summary of the privilege's purpose within the system.

Functions Performed

Describes a function performed for a given authorized privilege by this user class. Functions Performed: Describes a function performed for a given authorized privilege by this user class.

Inventory Item

A single managed inventory item within the system. Inventory Item: A single managed inventory item within the system.

Inventory Item Description

A summary of the inventory item stating its purpose within the system. Inventory Item Description: A summary of the inventory item stating its purpose within the system.

Implemented Component

The set of components that are implemented in a given system inventory item. Implemented Component: The set of components that are implemented in a given system inventory item.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Component Universally Unique Identifier Reference

A machine-oriented identifier reference to a component that is implemented as part of an inventory item. Component Universally Unique Identifier Reference: A machine-oriented identifier reference to a component that is implemented as part of an inventory item.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Inventory Item Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Inventory Item Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Set Parameter Value

Identifies the parameter that will be set by the enclosed value. Set Parameter Value: Identifies the parameter that will be set by the enclosed value.

Parameter Value

A parameter value or set of values. Parameter Value: A parameter value or set of values.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Parameter ID

A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context. Parameter ID: A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.

System Identification

A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document. System Identification: A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.

Identification System Type

Identifies the identification system from which the provided identifier was assigned. Identification System Type: Identifies the identification system from which the provided identifier was assigned.

System Security Plan (SSP)

A system security plan, such as those described in NIST SP 800-18 System Security Plan (SSP): A system security plan, such as those described in NIST SP 800-18

System Security Plan Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. The locally defined UUID of the SSP can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. System Security Plan Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. The locally defined UUID of the SSP can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Import Profile

Used to import the OSCAL profile representing the system's control baseline. Import Profile: Used to import the OSCAL profile representing the system's control baseline.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Profile Reference

A resolvable URL reference to the profile or catalog to use as the system's control baseline. Profile Reference: A resolvable URL reference to the profile or catalog to use as the system's control baseline.

System Characteristics

Contains the characteristics of the system, such as its name, purpose, and security impact level. System Characteristics: Contains the characteristics of the system, such as its name, purpose, and security impact level.

System Name - Full

The full name of the system. System Name - Full: The full name of the system.

System Name - Short

A short name for the system, such as an acronym, that is suitable for display in a data table or summary list. System Name - Short: A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.

System Description

A summary of the system. System Description: A summary of the system.

Security Sensitivity Level

The overall information system sensitivity categorization, such as defined by FIPS-199. Security Sensitivity Level: The overall information system sensitivity categorization, such as defined by FIPS-199.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

System Information

Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60. System Information: Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.

Information Type

Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60. Information Type: Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.

title field

A human readable name for the information type. This title should be meaningful within the context of the system. title field: A human readable name for the information type. This title should be meaningful within the context of the system.

Information Type Description

A summary of how this information type is used within the system. Information Type Description: A summary of how this information type is used within the system.

Information Type Categorization

A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60. Information Type Categorization: A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60.

Information Type Systematized Identifier

A human-oriented, globally unique identifier qualified by the given identification system used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Information Type Systematized Identifier: A human-oriented, globally unique identifier qualified by the given identification system used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Information Type Identification System

Specifies the information type identification system used. Information Type Identification System: Specifies the information type identification system used.

Confidentiality Impact Level

The expected level of impact resulting from the unauthorized disclosure of the described information. Confidentiality Impact Level: The expected level of impact resulting from the unauthorized disclosure of the described information.

Adjustment Justification

If the selected security level is different from the base security level, this contains the justification for the change. Adjustment Justification: If the selected security level is different from the base security level, this contains the justification for the change.

Integrity Impact Level

The expected level of impact resulting from the unauthorized modification of the described information. Integrity Impact Level: The expected level of impact resulting from the unauthorized modification of the described information.

Adjustment Justification

Availability Impact Level

The expected level of impact resulting from the disruption of access to or use of the described information or the information system. Availability Impact Level: The expected level of impact resulting from the disruption of access to or use of the described information or the information system.

Adjustment Justification

Information Type Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Information Type Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Base Level (Confidentiality, Integrity, or Availability)

The prescribed base (Confidentiality, Integrity, or Availability) security impact level. Base Level (Confidentiality, Integrity, or Availability): The prescribed base (Confidentiality, Integrity, or Availability) security impact level.

Selected Level (Confidentiality, Integrity, or Availability)

The selected (Confidentiality, Integrity, or Availability) security impact level. Selected Level (Confidentiality, Integrity, or Availability): The selected (Confidentiality, Integrity, or Availability) security impact level.

Adjustment Justification

Security Impact Level

The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information. Security Impact Level: The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.

Security Objective: Confidentiality

A target-level of confidentiality for the system, based on the sensitivity of information within the system. Security Objective: Confidentiality: A target-level of confidentiality for the system, based on the sensitivity of information within the system.

Security Objective: Integrity

A target-level of integrity for the system, based on the sensitivity of information within the system. Security Objective: Integrity: A target-level of integrity for the system, based on the sensitivity of information within the system.

Security Objective: Availability

A target-level of availability for the system, based on the sensitivity of information within the system. Security Objective: Availability: A target-level of availability for the system, based on the sensitivity of information within the system.

Status

Describes the operational status of the system. Status: Describes the operational status of the system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

State

The current operating status. State: The current operating status.

System Authorization Date

The date the system received its authorization. System Authorization Date: The date the system received its authorization.

Authorization Boundary

A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary. Authorization Boundary: A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.

Authorization Boundary Description

A summary of the system's authorization boundary. Authorization Boundary Description: A summary of the system's authorization boundary.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Diagram

A graphic that provides a visual representation the system, or some aspect of it. Diagram: A graphic that provides a visual representation the system, or some aspect of it.

Diagram Description

A summary of the diagram. Diagram Description: A summary of the diagram.

Caption

A brief caption to annotate the diagram. Caption: A brief caption to annotate the diagram.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Diagram ID

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Diagram ID: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Network Architecture

A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture. Network Architecture: A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.

Network Architecture Description

A summary of the system's network architecture. Network Architecture Description: A summary of the system's network architecture.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Data Flow

A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows. Data Flow: A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.

Data Flow Description

A summary of the system's data flow. Data Flow Description: A summary of the system's data flow.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

System Implementation

Provides information as to how the system is implemented. System Implementation: Provides information as to how the system is implemented.

Leveraged Authorization

A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider. Leveraged Authorization: A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider.

title field

A human readable name for the leveraged authorization in the context of the system. title field: A human readable name for the leveraged authorization in the context of the system.

party-uuid field

A machine-oriented identifier reference to the party that manages the leveraged system. party-uuid field: A machine-oriented identifier reference to the party that manages the leveraged system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Leveraged Authorization Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Leveraged Authorization Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Control Implementation

Describes how the system satisfies a set of controls. Control Implementation: Describes how the system satisfies a set of controls.

Control Implementation Description

A statement describing important things to know about how this set of control satisfaction documentation is approached. Control Implementation Description: A statement describing important things to know about how this set of control satisfaction documentation is approached.

Control-based Requirement

Describes how the system satisfies the requirements of an individual control. Control-based Requirement: Describes how the system satisfies the requirements of an individual control.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Control Requirement Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Control Requirement Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Control Identifier Reference

Specific Control Statement

Identifies which statements within a control are addressed. Specific Control Statement: Identifies which statements within a control are addressed.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Control Statement Reference

A human-oriented identifier reference to a control statement. Control Statement Reference: A human-oriented identifier reference to a control statement.

Control Statement Reference Universally Unique Identifier

Component Control Implementation

Defines how the referenced component implements a set of controls. Component Control Implementation: Defines how the referenced component implements a set of controls.

Control Implementation Description

An implementation statement that describes how a control or a control statement is implemented within the referenced system component. Control Implementation Description: An implementation statement that describes how a control or a control statement is implemented within the referenced system component.

Export

Identifies content intended for external consumption, such as with leveraged organizations. Export: Identifies content intended for external consumption, such as with leveraged organizations.

Control Implementation Export Description

An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system. Control Implementation Export Description: An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system.

Provided Control Implementation

Describes a capability which may be inherited by a leveraging system. Provided Control Implementation: Describes a capability which may be inherited by a leveraging system.

Provided Control Implementation Description

An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system. Provided Control Implementation Description: An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Provided Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Provided Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Control Implementation Responsibility

Describes a control implementation responsibility imposed on a leveraging system. Control Implementation Responsibility: Describes a control implementation responsibility imposed on a leveraging system.

Control Implementation Responsibility Description

An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system. Control Implementation Responsibility Description: An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Responsibility Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Responsibility Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Provided UUID

A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system. Provided UUID: A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Inherited Control Implementation

Describes a control implementation inherited by a leveraging system. Inherited Control Implementation: Describes a control implementation inherited by a leveraging system.

Inherited Control Implementation Description

An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system. Inherited Control Implementation Description: An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.

Inherited Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Inherited Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Provided UUID

Satisfied Control Implementation Responsibility

Describes how this system satisfies a responsibility imposed by a leveraged system. Satisfied Control Implementation Responsibility: Describes how this system satisfies a responsibility imposed by a leveraged system.

Satisfied Control Implementation Responsibility Description

An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system. Satisfied Control Implementation Responsibility Description: An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Satisfied Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Satisfied Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Responsibility UUID

A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system. Responsibility UUID: A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Component Universally Unique Identifier Reference

A machine-oriented identifier reference to the component that is implemeting a given control. Component Universally Unique Identifier Reference: A machine-oriented identifier reference to the component that is implemeting a given control.

By-Component Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. By-Component Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Security Assessment Plan (SAP)

An assessment plan, such as those provided by a FedRAMP assessor. Security Assessment Plan (SAP): An assessment plan, such as those provided by a FedRAMP assessor.

Local Definitions

Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP. Local Definitions: Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Assessment Plan Terms and Conditions

Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition. Assessment Plan Terms and Conditions: Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.

Assessment Plan Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment plan in this or other OSCAL instances. The locally defined UUID of the assessment plan can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Assessment Plan Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment plan in this or other OSCAL instances. The locally defined UUID of the assessment plan can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Import System Security Plan

Used by the assessment plan and POA&M to import information about the system. Import System Security Plan: Used by the assessment plan and POA&M to import information about the system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

System Security Plan Reference

A resolvable URL reference to the system security plan for the system being assessed. System Security Plan Reference: A resolvable URL reference to the system security plan for the system being assessed.

Assessment-Specific Control Objective

A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions. Assessment-Specific Control Objective: A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.

Objective Description

A human-readable description of this control objective. Objective Description: A human-readable description of this control objective.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Control Identifier Reference

Assessment Method

A local definition of a control objective. Uses catalog syntax for control objective and assessment activities. Assessment Method: A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.

Assessment Method Description

A human-readable description of this assessment method. Assessment Method Description: A human-readable description of this assessment method.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Assessment Method Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Assessment Method Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Activity

Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment. Activity: Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.

Included Activity Title

The title for this included activity. Included Activity Title: The title for this included activity.

Included Activity Description

A human-readable description of this included activity. Included Activity Description: A human-readable description of this included activity.

Step

Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure. Step: Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.

Step Title

The title for this step. Step Title: The title for this step.

Step Description

A human-readable description of this step. Step Description: A human-readable description of this step.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Step Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Step Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Assessment Activity Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Assessment Activity Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Task

Represents a scheduled event or milestone, which may be associated with a series of assessment actions. Task: Represents a scheduled event or milestone, which may be associated with a series of assessment actions.

Task Title

The title for this task. Task Title: The title for this task.

Task Description

A human-readable description of this task. Task Description: A human-readable description of this task.

Event Timing

The timing under which the task is intended to occur. Event Timing: The timing under which the task is intended to occur.

On Date Condition

The task is intended to occur on the specified date. On Date Condition: The task is intended to occur on the specified date.

On Date Condition

The task must occur on the specified date. On Date Condition: The task must occur on the specified date.

On Date Range Condition

The task is intended to occur within the specified date range. On Date Range Condition: The task is intended to occur within the specified date range.

Start Date Condition

The task must occur on or after the specified date. Start Date Condition: The task must occur on or after the specified date.

End Date Condition

The task must occur on or before the specified date. End Date Condition: The task must occur on or before the specified date.

Frequency Condition

The task is intended to occur at the specified frequency. Frequency Condition: The task is intended to occur at the specified frequency.

Period

The task must occur after the specified period has elapsed. Period: The task must occur after the specified period has elapsed.

Time Unit

The unit of time for the period. Time Unit: The unit of time for the period.

Task Dependency

Used to indicate that a task is dependent on another task. Task Dependency: Used to indicate that a task is dependent on another task.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Task Universally Unique Identifier Reference

A machine-oriented identifier reference to a unique task. Task Universally Unique Identifier Reference: A machine-oriented identifier reference to a unique task.

Associated Activity

Identifies an individual activity to be performed as part of a task. Associated Activity: Identifies an individual activity to be performed as part of a task.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Activity Universally Unique Identifier Reference

A machine-oriented identifier reference to an activity defined in the list of activities. Activity Universally Unique Identifier Reference: A machine-oriented identifier reference to an activity defined in the list of activities.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Task Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Task Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Task Type

The type of task. Task Type: The type of task.

Reviewed Controls and Control Objectives

Identifies the controls being assessed and their control objectives. Reviewed Controls and Control Objectives: Identifies the controls being assessed and their control objectives.

Control Objective Description

A human-readable description of control objectives. Control Objective Description: A human-readable description of control objectives.

Assessed Controls

Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan. Assessed Controls: Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.

Assessed Controls Description

A human-readable description of in-scope controls specified for assessment. Assessed Controls Description: A human-readable description of in-scope controls specified for assessment.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Referenced Control Objectives

Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan. Referenced Control Objectives: Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.

Control Objectives Description

A human-readable description of this collection of control objectives. Control Objectives Description: A human-readable description of this collection of control objectives.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Select Control

Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope. Select Control: Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

Include Specific Statements

Used to constrain the selection to only specificity identified statements. Include Specific Statements: Used to constrain the selection to only specificity identified statements.

Control Identifier Reference

Select Objective

Used to select a control objective for inclusion/exclusion based on the control objective's identifier. Select Objective: Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

Objective ID

Points to an assessment objective. Objective ID: Points to an assessment objective.

Assessment Subject Placeholder

Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log. Assessment Subject Placeholder: Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.

Assessment Subject Placeholder Description

A human-readable description of intent of this assessment subject placeholder. Assessment Subject Placeholder Description: A human-readable description of intent of this assessment subject placeholder.

Assessment Subject Source

Assessment subjects will be identified while conducting the referenced activity-instance. Assessment Subject Source: Assessment subjects will be identified while conducting the referenced activity-instance.

Task Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Task Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Assessment Subject Placeholder Universally Unique Identifier

A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Assessment Subject Placeholder Universally Unique Identifier: A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Subject of Assessment

Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope. Subject of Assessment: Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

Include Subjects Description

A human-readable description of the collection of subjects being included in this assessment. Include Subjects Description: A human-readable description of the collection of subjects being included in this assessment.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Subject Type

Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement. Subject Type: Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

Select Assessment Subject

Identifies a set of assessment subjects to include/exclude by UUID. Select Assessment Subject: Identifies a set of assessment subjects to include/exclude by UUID.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Subject Universally Unique Identifier Reference

A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID. Subject Universally Unique Identifier Reference: A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.

Subject Universally Unique Identifier Reference Type

Used to indicate the type of object pointed to by the uuid-ref within a subject. Subject Universally Unique Identifier Reference Type: Used to indicate the type of object pointed to by the uuid-ref within a subject.

Identifies the Subject

A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. Identifies the Subject: A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.

Subject Reference Title

The title or name for the referenced subject. Subject Reference Title: The title or name for the referenced subject.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Subject Universally Unique Identifier Reference

Subject Universally Unique Identifier Reference Type

Assessment Assets

Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions. Assessment Assets: Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.

Assessment Platform

Used to represent the toolset used to perform aspects of the assessment. Assessment Platform: Used to represent the toolset used to perform aspects of the assessment.

Assessment Platform Title

The title or name for the assessment platform. Assessment Platform Title: The title or name for the assessment platform.

Uses Component

The set of components that are used by the assessment platform. Uses Component: The set of components that are used by the assessment platform.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Component Universally Unique Identifier Reference

A machine-oriented identifier reference to a component that is implemented as part of an inventory item. Component Universally Unique Identifier Reference: A machine-oriented identifier reference to a component that is implemented as part of an inventory item.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Assessment Platform Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Assessment Platform Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Objective Status

Captures an assessor's conclusions regarding the degree to which an objective is satisfied. Objective Status: Captures an assessor's conclusions regarding the degree to which an objective is satisfied.

Objective Status Title

The title for this objective status. Objective Status Title: The title for this objective status.

Objective Status Description

A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied. Objective Status Description: A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.

Objective Status

A determination of if the objective is satisfied or not within a given system. Objective Status: A determination of if the objective is satisfied or not within a given system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Objective Status State

An indication as to whether the objective is satisfied or not. Objective Status State: An indication as to whether the objective is satisfied or not.

Objective Status Reason

The reason the objective was given it's status. Objective Status Reason: The reason the objective was given it's status.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Finding Target Type

Identifies the type of the target. Finding Target Type: Identifies the type of the target.

Finding Target Identifier Reference

A machine-oriented identifier reference for a specific target qualified by the type. Finding Target Identifier Reference: A machine-oriented identifier reference for a specific target qualified by the type.

Observation

Describes an individual observation. Observation: Describes an individual observation.

Observation Title

The title for this observation. Observation Title: The title for this observation.

Observation Description

A human-readable description of this assessment observation. Observation Description: A human-readable description of this assessment observation.

Observation Method

Identifies how the observation was made. Observation Method: Identifies how the observation was made.

Observation Type

Identifies the nature of the observation. More than one may be used to further qualify and enable filtering. Observation Type: Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.

Relevant Evidence

Links this observation to relevant evidence. Relevant Evidence: Links this observation to relevant evidence.

Relevant Evidence Description

A human-readable description of this evidence. Relevant Evidence Description: A human-readable description of this evidence.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Relevant Evidence Reference

A resolvable URL reference to relevant evidence. Relevant Evidence Reference: A resolvable URL reference to relevant evidence.

Collected Field

Date/time stamp identifying when the finding information was collected. Collected Field: Date/time stamp identifying when the finding information was collected.

Expires Field

Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios. Expires Field: Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Observation Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Observation Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Origin

Identifies the source of the finding, such as a tool, interviewed person, or activity. Origin: Identifies the source of the finding, such as a tool, interviewed person, or activity.

Originating Actor

The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool. Originating Actor: The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

Actor Type

The kind of actor. Actor Type: The kind of actor.

Actor Universally Unique Identifier Reference

A machine-oriented identifier reference to the tool or person based on the associated type. Actor Universally Unique Identifier Reference: A machine-oriented identifier reference to the tool or person based on the associated type.

Actor Role

For a party, this can optionally be used to specify the role the actor was performing. Actor Role: For a party, this can optionally be used to specify the role the actor was performing.

Task Reference

Identifies an individual task for which the containing object is a consequence of. Task Reference: Identifies an individual task for which the containing object is a consequence of.

Identified Subject

Used to detail assessment subjects that were identfied by this task. Identified Subject: Used to detail assessment subjects that were identfied by this task.

Assessment Subject Placeholder Universally Unique Identifier Reference

A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task. Assessment Subject Placeholder Universally Unique Identifier Reference: A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Task Universally Unique Identifier Reference

A machine-oriented identifier reference to a unique task. Task Universally Unique Identifier Reference: A machine-oriented identifier reference to a unique task.

Threat ID

A pointer, by ID, to an externally-defined threat. Threat ID: A pointer, by ID, to an externally-defined threat.

Threat Type Identification System

Specifies the source of the threat information. Threat Type Identification System: Specifies the source of the threat information.

Threat Information Resource Reference

An optional location for the threat data, from which this ID originates. Threat Information Resource Reference: An optional location for the threat data, from which this ID originates.

Identified Risk

An identified risk. Identified Risk: An identified risk.

Risk Title

The title for this risk. Risk Title: The title for this risk.

Risk Description

A human-readable summary of the identified risk, to include a statement of how the risk impacts the system. Risk Description: A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.

Risk Statement

An summary of impact for how the risk affects the system. Risk Statement: An summary of impact for how the risk affects the system.

Mitigating Factor

Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP. Mitigating Factor: Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.

Mitigating Factor Description

A human-readable description of this mitigating factor. Mitigating Factor Description: A human-readable description of this mitigating factor.

Mitigating Factor Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Mitigating Factor Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Implementation UUID

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Implementation UUID: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Risk Resolution Deadline

The date/time by which the risk must be resolved. Risk Resolution Deadline: The date/time by which the risk must be resolved.

Risk Log

A log of all risk-related tasks taken. Risk Log: A log of all risk-related tasks taken.

Risk Log Entry

Identifies an individual risk response that occurred as part of managing an identified risk. Risk Log Entry: Identifies an individual risk response that occurred as part of managing an identified risk.

Title

The title for this risk log entry. Title: The title for this risk log entry.

Risk Task Description

A human-readable description of what was done regarding the risk. Risk Task Description: A human-readable description of what was done regarding the risk.

Start

Identifies the start date and time of the event. Start: Identifies the start date and time of the event.

End

Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time. End: Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.

Risk Response Reference

Identifies an individual risk response that this log entry is for. Risk Response Reference: Identifies an individual risk response that this log entry is for.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Response Universally Unique Identifier Reference

A machine-oriented identifier reference to a unique risk response. Response Universally Unique Identifier Reference: A machine-oriented identifier reference to a unique risk response.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Risk Log Entry Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Risk Log Entry Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Related Observation

Relates the finding to a set of referenced observations that were used to determine the finding. Related Observation: Relates the finding to a set of referenced observations that were used to determine the finding.

Observation Universally Unique Identifier Reference

A machine-oriented identifier reference to an observation defined in the list of observations. Observation Universally Unique Identifier Reference: A machine-oriented identifier reference to an observation defined in the list of observations.

Risk Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Risk Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Logged By

Used to indicate who created a log entry in what role. Logged By: Used to indicate who created a log entry in what role.

Party UUID Reference

A machine-oriented identifier reference to the party who is making the log entry. Party UUID Reference: A machine-oriented identifier reference to the party who is making the log entry.

Actor Role

A point to the role-id of the role in which the party is making the log entry. Actor Role: A point to the role-id of the role in which the party is making the log entry.

Risk Status

Describes the status of the associated risk. Risk Status: Describes the status of the associated risk.

Characterization

A collection of descriptive data about the containing object from a specific origin. Characterization: A collection of descriptive data about the containing object from a specific origin.

Facet

An individual characteristic that is part of a larger set produced by the same actor. Facet: An individual characteristic that is part of a larger set produced by the same actor.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Facet Name

The name of the risk metric within the specified system. Facet Name: The name of the risk metric within the specified system.

Naming System

Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash. Naming System: Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.

Facet Value

Indicates the value of the facet. Facet Value: Indicates the value of the facet.

Risk Response

Describes either recommended or an actual plan for addressing the risk. Risk Response: Describes either recommended or an actual plan for addressing the risk.

Response Title

The title for this response activity. Response Title: The title for this response activity.

Response Description

A human-readable description of this response plan. Response Description: A human-readable description of this response plan.

Required Asset

Identifies an asset required to achieve remediation. Required Asset: Identifies an asset required to achieve remediation.

Title for Required Asset

The title for this required asset. Title for Required Asset: The title for this required asset.

Description of Required Asset

A human-readable description of this required asset. Description of Required Asset: A human-readable description of this required asset.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Required Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Required Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Remediation Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Remediation Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Remediation Intent

Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner. Remediation Intent: Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.

Assessment Part

A partition of an assessment plan or results or a child of another part. Assessment Part: A partition of an assessment plan or results or a child of another part.

Part Title

A name given to the part, which may be used by a tool for display and navigation. Part Title: A name given to the part, which may be used by a tool for display and navigation.

Part Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Part Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Part Name

A textual label that uniquely identifies the part's semantic type. Part Name: A textual label that uniquely identifies the part's semantic type.

Part Namespace

Part Class

Security Assessment Results (SAR)

Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report. Security Assessment Results (SAR): Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.

Local Definitions

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Assessment Results Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment results instance in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Assessment Results Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment results instance in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Assessment Result

Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition. Assessment Result: Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.

Results Title

The title for this set of results. Results Title: The title for this set of results.

Results Description

A human-readable description of this set of test results. Results Description: A human-readable description of this set of test results.

start field

Date/time stamp identifying the start of the evidence collection reflected in these results. start field: Date/time stamp identifying the start of the evidence collection reflected in these results.

end field

Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate. end field: Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate.

Local Definitions

Attestation Statements

A set of textual statements, typically written by the assessor. Attestation Statements: A set of textual statements, typically written by the assessor.

Assessment Log

A log of all assessment-related actions taken. Assessment Log: A log of all assessment-related actions taken.

Assessment Log Entry

Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results. Assessment Log Entry: Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.

Action Title

The title for this event. Action Title: The title for this event.

Action Description

A human-readable description of this event. Action Description: A human-readable description of this event.

Start

Identifies the start date and time of an event. Start: Identifies the start date and time of an event.

End

Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time. End: Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Assessment Log Entry Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Assessment Log Entry Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Results Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this set of results in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Results Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this set of results in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Finding

Describes an individual finding. Finding: Describes an individual finding.

Finding Title

The title for this finding. Finding Title: The title for this finding.

Finding Description

A human-readable description of this finding. Finding Description: A human-readable description of this finding.

Implementation Statement UUID

A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related. Implementation Statement UUID: A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related.

Related Observation

Observation Universally Unique Identifier Reference

Associated Risk

Relates the finding to a set of referenced risks that were used to determine the finding. Associated Risk: Relates the finding to a set of referenced risks that were used to determine the finding.

Risk Universally Unique Identifier Reference

A machine-oriented identifier reference to a risk defined in the list of risks. Risk Universally Unique Identifier Reference: A machine-oriented identifier reference to a risk defined in the list of risks.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Finding Universally Unique Identifier

A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Finding Universally Unique Identifier: A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Import Assessment Plan

Used by assessment-results to import information about the original plan for assessing the system. Import Assessment Plan: Used by assessment-results to import information about the original plan for assessing the system.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

Assessment Plan Reference

A resolvable URL reference to the assessment plan governing the assessment activities. Assessment Plan Reference: A resolvable URL reference to the assessment plan governing the assessment activities.

Plan of Action and Milestones (POA&M)

A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP. Plan of Action and Milestones (POA&M): A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.

POA&M Universally Unique Identifier

A machine-oriented, globally unique identifier with instancescope that can be used to reference this POA&M instance in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. POA&M Universally Unique Identifier: A machine-oriented, globally unique identifier with instancescope that can be used to reference this POA&M instance in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.

Local Definitions

Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M. Local Definitions: Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

POA&M Item

Describes an individual POA&M item. POA&M Item: Describes an individual POA&M item.

POA&M Item Title

The title or name for this POA&M item . POA&M Item Title: The title or name for this POA&M item .

POA&M Item Description

A human-readable description of POA&M item. POA&M Item Description: A human-readable description of POA&M item.

Origin

Identifies the source of the finding, such as a tool or person. Origin: Identifies the source of the finding, such as a tool or person.

Related Observation

Relates the poam-item to a set of referenced observations that were used to determine the finding. Related Observation: Relates the poam-item to a set of referenced observations that were used to determine the finding.

Observation Universally Unique Identifier Reference

Associated Risk

Risk Universally Unique Identifier Reference

Remarks

Additional commentary on the containing object. Remarks: Additional commentary on the containing object.

POA&M Item Universally Unique Identifier

A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. POA&M Item Universally Unique Identifier: A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. The content model is the same as inlineMarkupType, but line endings need to be preserved, since this is preformatted. An insert can be used to identify a placeholder for dynamically inserting text related to a specific object, which is referenced by the object's identifier using an id-ref. This insert mechanism allows the selection of which text value from the object to dynamically include based on the application's display requirements. The type of object to include from (e.g., parameter, control, component, role, etc.) The identity of the object to insert a value for. The identity will be selected from the index of objects of the specified type. The specific value to include is based on the application's display requirements, which will likely use a specific data element associated with the type (e.g., title, identifier, value, etc.) that is appropriate for the application. Binary data encoded using the Base64 encoding algorithm as defined by RFC4648. A binary value that is either: true (or 1) or false (or 0). A string representing a 24-hour period with an optional timezone. A string representing a point in time with an optional timezone. A string representing a point in time with a required timezone. An email address string formatted according to RFC 6531. An integer value that is equal to or greater than 0. This pattern ensures that leading and trailing whitespace is disallowed. This helps to even the user experience between implementations related to whitespace. An integer value that is greater than 0. This pattern ensures that leading and trailing whitespace is disallowed. This helps to even the user experience between implementations related to whitespace. A non-empty string of Unicode characters with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+ The 'string' datatype restricts the XSD type by prohibiting leading and trailing whitespace, and something (not only whitespace) is required. This pattern ensures that leading and trailing whitespace is disallowed. This helps to even the user experience between implementations related to whitespace. A non-empty, non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition (https://www.w3.org/TR/xmlschema11-2/#NCName), with leading and trailing whitespace disallowed. A single token may not contain whitespace. A universal resource identifier (URI) formatted according to RFC3986. Requires a scheme with colon per RFC 3986. A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986. This pattern ensures that leading and trailing whitespace is disallowed. This helps to even the user experience between implementations related to whitespace. A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122. A sequence of 8-4-4-4-12 hex digits, with extra constraints in the 13th and 17-18th places for version 4 and 5