oscal-view

• Addition(add type:object) is found in profile §
  • definition: Specifies contents to be added into controls, in resolution
• Address(address type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A postal address.
• Include all(all type:object) is found in assessment-plan, assessment-results & profile §
  • definition for Include all is different between these schemas
    • assessment-plan: A key word to indicate all
    • assessment-results: A key word to indicate all
    • profile: Include all controls from the imported resource (catalog)
• Alteration(alter type:object) is found in profile §
  • definition: An Alter element specifies changes to be made to an included control when a profile is resolved.
• Annotation(annotation type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A name/value pair with optional explanatory remarks.
• Assessment Activities(assessment-activities type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies the assessment activities and schedule. In the assessment plan, these are planned activities. In the assessment results, these are the actual activities performed.
• Assessment Method(assessment-method type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies a method for assessing the satisfaction of this objective.
• Security Assessment Plan (SAP)(assessment-plan type:object) is found in assessment-plan §
  • definition: An assessment plan, such as those provided by a FedRAMP assessor.
• Security Assessment Results (SAR)(assessment-results type:object) is found in assessment-results §
  • definition: Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.
• Subject of Assessment(assessment-subjects type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies the planned assessment subject. In the assessment results this is the actual assessment subject, and reflects any changes from the plan.
• Assessor(assessor type:object) is found in assessment-results & poam §
  • definition: Identifies an individual who gathered the evidence resulting in the observation or risk identification.
• Assessment Assets(assets type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.
• Authorization Boundary(authorization-boundary type:object) is found in ssp §
  • definition: A description of this system’s authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.
• Privilege(authorized-privilege type:object) is found in assessment-plan, assessment-results & ssp §
  • definition: Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.
• Availability Impact Level(availability-impact type:object) is found in ssp §
  • definition: The expected level of impact resulting from the disruption of access to or use of information or the information system.
• Back matter(back-matter type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A collection of citations and resource references.
• Base64(base64 type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition:
• Bibliographic Definition(biblio type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A container in which a set of bibliographic information can included. The model of this information is undefined by OSCAL.
• Component Control Implementation(by-component type:object) is found in ssp §
  • definition: Defines how the referenced component implements a set of controls.
• Call(call type:object) is found in profile §
  • definition: Call a control by its ID
• Capability(capability type:object) is found in component §
  • definition: A grouping of other components and/or capabilities.
• Catalog(catalog type:object) is found in catalog §
  • definition: A collection of controls.
• Citation(citation type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A citation consisting of end note text and optional structured bibliographic data.
• Combination rule(combine type:object) is found in profile §
  • definition: A Combine element defines whether and how to combine multiple (competing) versions of the same control
• Component(component type:object) is found in assessment-plan, assessment-results, component, poam & ssp §
  • definition for Component is different between these schemas
    • assessment-plan: A defined component that can be part of an implemented system.
    • assessment-results: A defined component that can be part of an implemented system.
    • component: A defined component that can be part of an implemented system.
    • poam: A defined component that can be part of an implemented system.
    • ssp: A defined component that can be part of an implemented system.
• Component Definition(component-definition type:object) is found in component §
  • definition: A collection of component descriptions, which may optionally be grouped by capability.
• Confidentiality Impact Level(confidentiality-impact type:object) is found in ssp §
  • definition: The expected level of impact resulting from the unauthorized disclosure of information.
• Constraint(constraint type:object) is found in catalog & profile §
  • definition: A formal or informal expression of a constraint or test
• Control(control type:object) is found in catalog §
  • definition: A structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.
• Control Implementation(control-implementation type:object) is found in component & ssp §
  • definition for Control Implementation is different between these schemas
    • component: Defines how the component or capability supports a set of controls.
    • ssp: Describes how the system satisfies a set of controls.
• Control Objectives(control-objectives type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the actual objectives, and reflects any changes from the plan.
• Assessed Controls(controls type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.
• Custom grouping(custom type:object) is found in profile §
  • definition: A Custom element frames a structure for embedding represented controls in resolution.
• Data Flow(data-flow type:object) is found in ssp §
  • definition: A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.
• Diagram(diagram type:object) is found in ssp §
  • definition: A graphic that provides a visual representation the system, or some aspect of it.
• Document Identifier(doc-id type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A document identifier qualified by an identifier type.
• Exclude controls(exclude type:object) is found in profile §
  • definition: Which controls to exclude from the resource (source catalog) being imported
• Included Activity(exclude-activity type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies an activity explicitly excluded from the assessment. In the assessment plan, this clarifies activities that are out-of-scope or prohibited. In the assessment results, this could be used to explicitly identify an activity that was planned, but not performed.
• Exclude Control(exclude-control type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies an individual control to exclude.
• Exclude Objective(exclude-objective type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies an individual control objective to exclude.
• Excluded Assessment Subject(exclude-subject type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies what is explicitly excluded from this assessment. Used to remove a subset of items from groups of explicitly included items. Also used to explicitly clarify off-limit items, such as hosts to avoid scanning.
• Personal Identifier(external-id type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: An identifier for a person (such as an ORCID) using a designated scheme.
• Finding(finding type:object) is found in assessment-results & poam §
  • definition: Describes an individual finding.
• Control group(group type:object) is found in catalog & profile §
  • definition for Control group is different between these schemas
    • catalog: A group of controls, or of groups of controls.
    • profile: As in catalogs, a group of (selected) controls or of groups of controls
• Guideline(guideline type:object) is found in catalog & profile §
  • definition: A prose statement that provides a recommendation for the use of a parameter.
• Hash(hash type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A representation of a cryptographic digest generated over a resource using a hash algorithm.
• Implementation Status(implementation-status type:object) is found in assessment-results & poam §
  • definition: Identifies the implementation status of the control or control objective.
• Implemented Component(implemented-component type:object) is found in assessment-plan, assessment-results, poam & ssp §
  • definition: The set of componenets that are implemented in a given system inventory item.
• Control-based Requirement(implemented-requirement type:object) is found in component & ssp §
  • definition for Control-based Requirement is different between these schemas
    • component: Describes how the component implements an individual control.
    • ssp: Describes how the system satisfies an individual control.
• Import resource(import type:object) is found in profile §
  • definition: An Import element designates a catalog, profile, or other resource to be included (referenced and potentially modified) by this profile.
• Import Assessment Plan(import-ap type:object) is found in assessment-results §
  • definition: Used by assessment-results to import information about the original plan for assessing the system.
• Import Component Definition(import-component-definition type:object) is found in component §
  • definition: Loads a component definition from another resource.
• Import Profile(import-profile type:object) is found in ssp §
  • definition: Used to import the OSCAL profile representing the system’s control baseline.
• Import System Security Plan(import-ssp type:object) is found in assessment-plan & poam §
  • definition: Used by the assessment plan and POA&M to import information about the system.
• Include controls(include type:object) is found in profile §
  • definition: Specifies which controls to include from the resource (source catalog) being imported
• Included Activity(include-activity type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies an assessment activity. In the assessment plan, this is an intended/in-scope activity. In the assessment results, this identifies an activity that was actually performed.
• Include Control(include-control type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies an individual control to include.
• Include Objective(include-objective type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies an individual control objective to include.
• Included Assessment Subject(include-subject type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies exactly what will be the focus of this assessment. Anything not explicitly defined is out-of-scope.
• Incorporates Component(incorporates-component type:object) is found in component §
  • definition: TBD
• Information Type(information-type type:object) is found in ssp §
  • definition: Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
• Information Type Identifier(information-type-id type:object) is found in ssp §
  • definition: An identifier qualified by the given identification system used, such as NIST SP 800-60.
• Integrity Impact Level(integrity-impact type:object) is found in ssp §
  • definition: The expected level of impact resulting from the unauthorized modification of information.
• Inventory Item(inventory-item type:object) is found in assessment-plan, assessment-results, poam & ssp §
  • definition: A single managed inventory item within the system.
• Leveraged Authorization(leveraged-authorization type:object) is found in ssp §
  • definition: A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider.
• Link(link type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A reference to a local or remote resource
• Local Definitions(local-definitions type:object) is found in assessment-plan, assessment-results & poam §
  • definition for Local Definitions is different between these schemas
    • assessment-plan: Allows control objectives, users, components, and inventory-items to be defined within the assessment plan or assessment results for circumstances where they are not appropriately defined in the SSP. NOTE: Use the assessment plan or assessment results metadata to define additional locations if needed.
    • assessment-results: Allows control objectives, users, components, and inventory-items to be defined within the assessment plan or assessment results for circumstances where they are not appropriately defined in the SSP. NOTE: Use the assessment plan or assessment results metadata to define additional locations if needed.
    • poam: Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.
• Location(location type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A location, with associated metadata that can be referenced.
• Match controls by identifier(match type:object) is found in profile §
  • definition: Select controls by (regular expression) match on ID
• Merge controls(merge type:object) is found in profile §
  • definition: A Merge element merges controls in resolution.
• Publication metadata(metadata type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: Provides information about the publication and availability of the containing document.
• Assessment Method(method type:object) is found in assessment-plan & assessment-results §
  • definition: A local definition of a control objective. Uses catalog syntax for control objective and assessment actions.
• Mitigating Factor(mitigating-factor type:object) is found in assessment-results & poam §
  • definition: Describes a mitigating factor with an optional link to an implementation statement in the SSP.
• Modify controls(modify type:object) is found in profile §
  • definition: Set parameters or amend controls in resolution
• Network Architecture(network-architecture type:object) is found in ssp §
  • definition: A description of the system’s network architecture, optionally supplemented by diagrams that illustrate the network architecture.
• Control Objective(objective type:object) is found in assessment-plan & assessment-results §
  • definition: A local definition of a control objective. Uses catalog syntax for control objective and assessment actions.
• Implementation Status(objective-status type:object) is found in assessment-results & poam §
  • definition: Captures an assessors conclusions as to whether an objective is fully satisfied.
• Objectives of Assessment(objectives type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies the controls and control being assessed and their control objectives. In the assessment plans, these are the planned controls and objectives. In the assessment results, these are the actual controls and objectives, and reflects any changes from the plan.
• Objective(observation type:object) is found in assessment-results & poam §
  • definition: Describes an individual observation.
• Origin(origin type:object) is found in assessment-results & poam §
  • definition: Identifies the tool or activity that resulted in the observation.
• Assessment Origination(origination type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies the origination of network-based assessment activities, such as the IP address of the tool performing assessment scans.
• Parameter(param type:object) is found in catalog & profile §
  • definition: Parameters provide a mechanism for the dynamic assignment of value(s) in a control.
• Part(part type:object) is found in assessment-plan, assessment-results, catalog & profile §
  • definition: A partition or component of a control or part
• Party (organization or person)(party type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A responsible entity, either singular (an organization or person) or collective (multiple persons)
• Telephone(phone type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: Contact number by telephone
• Plan of Action and Milestones (POA&M)(plan-of-action-and-milestones type:object) is found in poam §
  • definition: A plan of action and milestones, such as those required by FedRAMP.
• Port Range(port-range type:object) is found in assessment-plan, assessment-results, poam & ssp §
  • definition: Where applicable this is the IPv4 port range on which the service operates.
• Profile(profile type:object) is found in profile §
  • definition: Each OSCAL profile is defined by a Profile element
• Property(prop type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A value with a name, attributed to the containing control, part, or group.
• Protocol(protocol type:object) is found in assessment-plan, assessment-results, poam & ssp §
  • definition: Information about the protocol used to provide a service.
• Relevant Evidence(relevant-evidence type:object) is found in assessment-results & poam §
  • definition: Links this observation to relevant evidence.
• Remediation(remediation type:object) is found in assessment-results & poam §
  • definition: Describes either recommendation or an actual plan for remediating the risk.
• Remediation Origin(remediation-origin type:object) is found in assessment-results & poam §
  • definition: Points to the source of the remediation recommendation or plan
• Remediation Tracking(remediation-tracking type:object) is found in assessment-results & poam §
  • definition: A log of events and actions taken towards the remediation of the associated risk.
• Removal(remove type:object) is found in profile §
  • definition: Specifies elements to be removed from a control, in resolution
• Required(required type:object) is found in assessment-results & poam §
  • definition: Identifies something required to achieve remediation.
• Resource(resource type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A resource associated with the present document, which may be a pointer to other data or a citation.
• Responsible Party(responsible-party type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A reference to a set of organizations or persons that have responsibility for performing a referenced role relative to the parent context.
• Responsible Role(responsible-role type:object) is found in assessment-plan, assessment-results, component, poam & ssp §
  • definition: A reference to one or more roles with responsibility for performing a function relative to the control.
• Result(result type:object) is found in assessment-results & poam §
  • definition: A brief indication as to whether the objective is satisfied or not.
• Assessment Results(results type:object) is found in assessment-results & poam §
  • definition: Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.
• Revision History Entry(revision type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).
• Identified Risk(risk type:object) is found in assessment-results & poam §
  • definition: An identified risk.
• Risk Metric(risk-metric type:object) is found in assessment-results & poam §
  • definition: An individual risk metric from a specified system.
• Resource link(rlink type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: A pointer to an external copy of a document with optional hash for verification
• Role(role type:object) is found in assessment-plan, assessment-results, catalog, component, poam, profile & ssp §
  • definition: Defining a role to be assigned to a party
• Schedule(schedule type:object) is found in assessment-plan, assessment-results & poam §
  • definition: Identifies the schedule for the assessment activities.
• Security Impact Level(security-impact-level type:object) is found in ssp §
  • definition: The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.
• Selection(select type:object) is found in catalog & profile §
  • definition: Presenting a choice among alternatives
• Set Parameter Value(set-parameter type:object) is found in component, profile & ssp §
  • definition for Set Parameter Value is different between these schemas
    • component: Identifies the parameter that will be filled in by the enclosed value element.
    • profile: A parameter setting, to be propagated to points of insertion
    • ssp: Identifies the parameter that will be filled in by the enclosed value element.
• Specific Statement(statement type:object) is found in component & ssp §
  • definition for Specific Statement is different between these schemas
    • component: Identifies which statements within a control are addressed.
    • ssp: Identifies which statements within a control are addressed.
• Status(status type:object) is found in assessment-plan, assessment-results, poam & ssp §
  • definition: Describes the operational status of the system.
• Identifies the Subject(subject-reference type:object) is found in assessment-plan, assessment-results & poam §
  • definition: A pointer to a resource based on its ID. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.
• System Characteristics(system-characteristics type:object) is found in ssp §
  • definition: Contains the characteristics of the system, such as its name, purpose, and security impact level.
• System Identification(system-id type:object) is found in poam & ssp §
  • definition: A unique identifier for the system described by this system security plan.
• System Implementation(system-implementation type:object) is found in ssp §
  • definition: Provides information as to how the system is implemented.
• System Information(system-information type:object) is found in ssp §
  • definition: Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
• System Inventory(system-inventory type:object) is found in ssp §
  • definition: A set of inventory-item entries that represent the managed inventory instances of the system.
• System Security Plan (SSP)(system-security-plan type:object) is found in ssp §
  • definition: A system security plan, such as those described in NIST SP 800-18
• Task(task type:object) is found in assessment-plan, assessment-results & poam §
  • definition: Identifies an individual task.
• Test Method(test-method type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies an individual test method.
• Test Steps(test-step type:object) is found in assessment-plan & assessment-results §
  • definition: Identifies an individual test step.
• Threat ID(threat-id type:object) is found in assessment-results & poam §
  • definition: A pointer, by ID, to an externally-defined threat.
• Assessment Assets(tools type:object) is found in assessment-plan & assessment-results §
  • definition: The technology tools used by the assessor to perform the assessment, such as vulnerability scanners. In the assessment plan these are the intended tools. In the assessment results, these are the actual tools used, including any differences from the assessment plan.
• Tracking Entry(tracking-entry type:object) is found in assessment-results & poam §
  • definition: Individual remediation tracking entry, which logs an event or action taken towards the remediation of the associated risk.
• Parameter description(usage type:object) is found in catalog & profile §
  • definition: Indicates and explains the purpose and use of a parameter
• System User Class(user type:object) is found in assessment-plan, assessment-results & ssp §
  • definition: A type of user that interacts with the system based on an associated role.