JSON Schema Viewer

{ "$schema" : "http://json-schema.org/draft-07/schema#", "$id" : "http://csrc.nist.gov/ns/oscal/1.0-schema.json", "$comment" : "OSCAL Plan of Action and Milestones (POA&M) Format: JSON Schema", "type" : "object", "definitions" : { "metadata" : { "title" : "Publication metadata", "description" : "Provides information about the publication and availability of the containing document.", "$id" : "#/definitions/metadata", "type" : "object", "properties" : { "title" : { "$ref" : "#/definitions/title" }, "published" : { "$ref" : "#/definitions/published" }, "last-modified" : { "$ref" : "#/definitions/last-modified" }, "version" : { "$ref" : "#/definitions/version" }, "oscal-version" : { "$ref" : "#/definitions/oscal-version" }, "revision-history" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/revision" } }, "document-ids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/doc-id" } }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "links" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/link" } }, "roles" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/role" } }, "locations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/location" } }, "parties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/party" } }, "responsible-parties" : { "type" : "object", "minProperties" : 1, "additionalProperties" : { "allOf" : [ { "type" : "object", "$ref" : "#/definitions/responsible-party" }, { "not" : { "type" : "string" } } ] } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "title", "last-modified", "version", "oscal-version" ], "additionalProperties" : false }, "back-matter" : { "title" : "Back matter", "description" : "A collection of citations and resource references.", "$id" : "#/definitions/back-matter", "type" : "object", "properties" : { "resources" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/resource" } } }, "additionalProperties" : false }, "revision" : { "title" : "Revision History Entry", "description" : "An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).", "$id" : "#/definitions/revision", "type" : "object", "properties" : { "title" : { "$ref" : "#/definitions/title" }, "published" : { "$ref" : "#/definitions/published" }, "last-modified" : { "$ref" : "#/definitions/last-modified" }, "version" : { "$ref" : "#/definitions/version" }, "oscal-version" : { "$ref" : "#/definitions/oscal-version" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "links" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/link" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "additionalProperties" : false }, "link" : { "title" : "Link", "description" : "A reference to a local or remote resource", "$id" : "#/definitions/link", "type" : "object", "properties" : { "href" : { "title" : "hypertext reference", "description" : "A link to a document or document fragment (actual, nominal or projected)", "type" : "string", "format" : "uri-reference" }, "rel" : { "title" : "Relation", "description" : "Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.", "type" : "string" }, "media-type" : { "title" : "Media type", "description" : "Describes the media type of the linked resource", "type" : "string" }, "text" : { "type" : "string" } }, "required" : [ "text", "href" ], "additionalProperties" : false }, "published" : { "title" : "Publication Timestamp", "description" : "The date and time this document was published.", "$id" : "#/definitions/published", "type" : "string", "format" : "date-time", "pattern" : "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" }, "last-modified" : { "title" : "Last modified timestamp", "description" : "Date and time of last modification.", "$id" : "#/definitions/last-modified", "type" : "string", "format" : "date-time", "pattern" : "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" }, "version" : { "title" : "Document version", "description" : "The version of the document content.", "$id" : "#/definitions/version", "type" : "string" }, "oscal-version" : { "title" : "OSCAL version", "description" : "OSCAL model version.", "$id" : "#/definitions/oscal-version", "type" : "string" }, "doc-id" : { "title" : "Document Identifier", "description" : "A document identifier qualified by an identifier type.", "$id" : "#/definitions/doc-id", "type" : "object", "properties" : { "type" : { "description" : "Qualifies the kind of document identifier.", "type" : "string" }, "identifier" : { "type" : "string" } }, "required" : [ "identifier", "type" ], "additionalProperties" : false }, "prop" : { "title" : "Property", "description" : "A value with a name, attributed to the containing control, part, or group.", "$id" : "#/definitions/prop", "type" : "object", "properties" : { "name" : { "title" : "Name", "description" : "Identifying the purpose and intended use of the property, part or other object.", "type" : "string" }, "id" : { "title" : "Identifier", "description" : "Unique identifier of the containing object", "type" : "string" }, "ns" : { "title" : "Namespace", "description" : "A namespace qualifying the name.", "type" : "string" }, "class" : { "title" : "Class", "description" : "Indicating the type or classification of the containing object", "type" : "string" }, "value" : { "type" : "string" } }, "required" : [ "value", "name" ], "additionalProperties" : false }, "annotation" : { "title" : "Annotation", "description" : "A name/value pair with optional explanatory remarks.", "$id" : "#/definitions/annotation", "type" : "object", "properties" : { "name" : { "title" : "Name", "description" : "Identifying the purpose and intended use of the property, part or other object.", "type" : "string" }, "id" : { "title" : "Identifier", "description" : "Unique identifier of the containing object", "type" : "string" }, "ns" : { "title" : "Namespace", "description" : "A namespace qualifying the name.", "type" : "string" }, "value" : { "title" : "Value", "description" : "Indicates the value of the characteristic.", "type" : "string" }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "name" ], "additionalProperties" : false }, "location" : { "title" : "Location", "description" : "A location, with associated metadata that can be referenced.", "$id" : "#/definitions/location", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "title" : { "$ref" : "#/definitions/title" }, "address" : { "$ref" : "#/definitions/address" }, "email-addresses" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/email" } }, "telephone-numbers" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/phone" } }, "URLs" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/url" } }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "links" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/link" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "uuid", "address" ], "additionalProperties" : false }, "location-uuid" : { "title" : "Location Reference", "description" : "References a location defined in metadata.", "$id" : "#/definitions/location-uuid", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "party" : { "title" : "Party (organization or person)", "description" : "A responsible entity, either singular (an organization or person) or collective (multiple persons)", "$id" : "#/definitions/party", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "type" : { "title" : "Party Type", "description" : "A category describing the kind of party the object describes.", "type" : "string", "enum" : [ "person", "organization" ] }, "party-name" : { "$ref" : "#/definitions/party-name" }, "short-name" : { "$ref" : "#/definitions/short-name" }, "external-ids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/external-id" } }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "links" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/link" } }, "addresses" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/address" } }, "email-addresses" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/email" } }, "telephone-numbers" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/phone" } }, "member-of-organizations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/member-of-organization" } }, "location-uuids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/location-uuid" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "uuid", "type", "party-name" ], "additionalProperties" : false }, "party-uuid" : { "title" : "Party Reference", "description" : "References a party defined in metadata.", "$id" : "#/definitions/party-uuid", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "external-id" : { "title" : "Personal Identifier", "description" : "An identifier for a person (such as an ORCID) using a designated scheme.", "$id" : "#/definitions/external-id", "type" : "object", "properties" : { "type" : { "title" : "Type", "description" : "Indicating the type of identifier, address, email or other data item.", "type" : "string" }, "id" : { "type" : "string" } }, "required" : [ "id", "type" ], "additionalProperties" : false }, "member-of-organization" : { "title" : "Organizational Affiliation", "description" : "Identifies that the containing object is a member of the organization associated with the provided UUID.", "$id" : "#/definitions/member-of-organization", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "rlink" : { "title" : "Resource link", "description" : "A pointer to an external copy of a document with optional hash for verification", "$id" : "#/definitions/rlink", "type" : "object", "properties" : { "href" : { "title" : "hypertext reference", "description" : "A link to a document or document fragment (actual, nominal or projected)", "type" : "string", "format" : "uri-reference" }, "media-type" : { "title" : "Media type", "description" : "Describes the media type of the linked resource", "type" : "string" }, "hashes" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/hash" } } }, "required" : [ "href" ], "additionalProperties" : false }, "party-name" : { "title" : "Party Name", "description" : "The full (legal) name of the party.", "$id" : "#/definitions/party-name", "type" : "string" }, "short-name" : { "title" : "short-name", "description" : "A common name, short name or acronym", "$id" : "#/definitions/short-name", "type" : "string" }, "address" : { "title" : "Address", "description" : "A postal address.", "$id" : "#/definitions/address", "type" : "object", "properties" : { "type" : { "description" : "Indicates the type of address.", "type" : "string" }, "postal-address" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/addr-line" } }, "city" : { "$ref" : "#/definitions/city" }, "state" : { "$ref" : "#/definitions/state" }, "postal-code" : { "$ref" : "#/definitions/postal-code" }, "country" : { "$ref" : "#/definitions/country" } }, "additionalProperties" : false }, "addr-line" : { "title" : "Address line", "description" : "A single line of an address.", "$id" : "#/definitions/addr-line", "type" : "string" }, "city" : { "title" : "City", "description" : "City, town or geographical region for mailing address", "$id" : "#/definitions/city", "type" : "string" }, "state" : { "title" : "State", "description" : "State, province or analogous geographical region for mailing address", "$id" : "#/definitions/state", "type" : "string" }, "postal-code" : { "title" : "Postal Code", "description" : "Postal or ZIP code for mailing address", "$id" : "#/definitions/postal-code", "type" : "string" }, "country" : { "title" : "Country", "description" : "Country for mailing address", "$id" : "#/definitions/country", "type" : "string" }, "email" : { "title" : "Email", "description" : "Email address", "$id" : "#/definitions/email", "type" : "string", "format" : "email", "pattern" : "^.+@.+" }, "phone" : { "title" : "Telephone", "description" : "Contact number by telephone", "$id" : "#/definitions/phone", "type" : "object", "properties" : { "type" : { "description" : "Indicates the type of phone number.", "type" : "string" }, "number" : { "type" : "string" } }, "required" : [ "number" ], "additionalProperties" : false }, "url" : { "title" : "URL", "description" : "URL for web site or Internet presence", "$id" : "#/definitions/url", "type" : "string", "format" : "uri" }, "desc" : { "title" : "Description", "description" : "A short textual description", "$id" : "#/definitions/desc", "type" : "string" }, "text" : { "title" : "Text", "description" : "A line of textual content whose semantic is determined by the context of use.", "$id" : "#/definitions/text", "type" : "string" }, "biblio" : { "title" : "Bibliographic Definition", "description" : "A container in which a set of bibliographic information can included. The model of this information is undefined by OSCAL.", "$id" : "#/definitions/biblio", "type" : "object", "additionalProperties" : false }, "resource" : { "title" : "Resource", "description" : "A resource associated with the present document, which may be a pointer to other data or a citation.", "$id" : "#/definitions/resource", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "title" : { "$ref" : "#/definitions/title" }, "desc" : { "$ref" : "#/definitions/desc" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "document-ids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/doc-id" } }, "citation" : { "$ref" : "#/definitions/citation" }, "rlinks" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/rlink" } }, "attachments" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/base64" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "uuid" ], "additionalProperties" : false }, "citation" : { "title" : "Citation", "description" : "A citation consisting of end note text and optional structured bibliographic data.", "$id" : "#/definitions/citation", "type" : "object", "properties" : { "text" : { "$ref" : "#/definitions/text" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "biblio" : { "$ref" : "#/definitions/biblio" } }, "required" : [ "text" ], "additionalProperties" : false }, "hash" : { "title" : "Hash", "description" : "A representation of a cryptographic digest generated over a resource using a hash algorithm.", "$id" : "#/definitions/hash", "type" : "object", "properties" : { "algorithm" : { "title" : "Hash algorithm", "description" : "Method by which a hash is derived", "type" : "string" }, "value" : { "type" : "string" } }, "required" : [ "value", "algorithm" ], "additionalProperties" : false }, "role" : { "title" : "Role", "description" : "Defining a role to be assigned to a party", "$id" : "#/definitions/role", "type" : "object", "properties" : { "id" : { "title" : "Identifier", "description" : "Unique identifier of the containing object", "type" : "string" }, "title" : { "$ref" : "#/definitions/title" }, "short-name" : { "$ref" : "#/definitions/short-name" }, "desc" : { "$ref" : "#/definitions/desc" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "links" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/link" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "id", "title" ], "additionalProperties" : false }, "responsible-party" : { "title" : "Responsible Party", "description" : "A reference to a set of organizations or persons that have responsibility for performing a referenced role relative to the parent context.", "$id" : "#/definitions/responsible-party", "type" : "object", "properties" : { "party-uuids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/party-uuid" } }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "links" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/link" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "party-uuids" ], "additionalProperties" : false }, "title" : { "title" : "Title", "description" : "A title for display and navigation", "$id" : "#/definitions/title", "type" : "string" }, "base64" : { "title" : "Base64", "description" : "", "$id" : "#/definitions/base64", "type" : "object", "properties" : { "filename" : { "title" : "File Name", "description" : "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", "type" : "string", "format" : "uri-reference" }, "media-type" : { "title" : "Media type", "description" : "Describes the media type of the linked resource", "type" : "string" }, "value" : { "type" : "string" } }, "required" : [ "value" ], "additionalProperties" : false }, "description" : { "title" : "Description", "description" : "A description supporting the parent item.", "$id" : "#/definitions/description", "type" : "string" }, "remarks" : { "title" : "Remarks", "description" : "Additional commentary on the parent item.", "$id" : "#/definitions/remarks", "type" : "string" }, "responsible-role" : { "title" : "Responsible Role", "description" : "A reference to one or more roles with responsibility for performing a function relative to the control.", "$id" : "#/definitions/responsible-role", "type" : "object", "properties" : { "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "links" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/link" } }, "party-ids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/party-uuid" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "additionalProperties" : false }, "system-id" : { "title" : "System Identification", "description" : "A unique identifier for the system described by this system security plan.", "$id" : "#/definitions/system-id", "type" : "object", "properties" : { "identifier-type" : { "title" : "Identification System Type", "description" : "Identifies the identification system from which the provided identifier was assigned.", "type" : "string", "format" : "uri" }, "id" : { "type" : "string" } }, "required" : [ "id" ], "additionalProperties" : false }, "status" : { "title" : "Status", "description" : "Describes the operational status of the system.", "$id" : "#/definitions/status", "type" : "object", "properties" : { "state" : { "title" : "State", "description" : "The current operating status.", "type" : "string", "enum" : [ "operational", "under-development", "under-major-modification", "disposition", "other" ] }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "state" ], "additionalProperties" : false }, "role-id" : { "title" : "Role Identifier Reference", "description" : "A reference to the roles served by the user.", "$id" : "#/definitions/role-id", "type" : "string" }, "component" : { "title" : "Component", "description" : "A defined component that can be part of an implemented system.", "$id" : "#/definitions/component", "type" : "object", "properties" : { "component-type" : { "title" : "Component Type", "description" : "A category describing the purpose of the component.", "type" : "string" }, "title" : { "$ref" : "#/definitions/title" }, "description" : { "$ref" : "#/definitions/description" }, "purpose" : { "$ref" : "#/definitions/purpose" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "links" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/link" } }, "status" : { "$ref" : "#/definitions/status" }, "responsible-roles" : { "type" : "object", "minProperties" : 1, "additionalProperties" : { "allOf" : [ { "type" : "object", "$ref" : "#/definitions/responsible-role" }, { "not" : { "type" : "string" } } ] } }, "protocols" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/protocol" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "component-type", "title", "description", "status" ], "additionalProperties" : false }, "protocol" : { "title" : "Protocol", "description" : "Information about the protocol used to provide a service.", "$id" : "#/definitions/protocol", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "name" : { "description" : "The short name of the protocol (e.g., TLS).", "type" : "string" }, "title" : { "$ref" : "#/definitions/title" }, "port-ranges" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/port-range" } } }, "required" : [ "name" ], "additionalProperties" : false }, "port-range" : { "title" : "Port Range", "description" : "Where applicable this is the IPv4 port range on which the service operates.", "$id" : "#/definitions/port-range", "type" : "object", "properties" : { "start" : { "title" : "Start", "description" : "Indicates the starting port number in a port range", "type" : "integer", "multipleOf" : 1, "minimum" : 0 }, "end" : { "title" : "End", "description" : "Indicates the ending port number in a port range", "type" : "integer", "multipleOf" : 1, "minimum" : 0 }, "transport" : { "title" : "Transport", "description" : "Indicates the transport type.", "type" : "string", "enum" : [ "TCP", "UDP" ] } }, "additionalProperties" : false }, "purpose" : { "title" : "Purpose", "description" : "Describes the purpose for the service within the system.", "$id" : "#/definitions/purpose", "type" : "string" }, "inventory-item" : { "title" : "Inventory Item", "description" : "A single managed inventory item within the system.", "$id" : "#/definitions/inventory-item", "type" : "object", "properties" : { "asset-id" : { "title" : "Asset Identifier", "description" : "Organizational asset identifier that is unique in the context of the system. This may be a reference to the identifier used in an asset tracking system or a vulnerability scanning tool.", "type" : "string" }, "description" : { "$ref" : "#/definitions/description" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "links" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/link" } }, "responsible-parties" : { "type" : "object", "minProperties" : 1, "additionalProperties" : { "allOf" : [ { "type" : "object", "$ref" : "#/definitions/responsible-party" }, { "not" : { "type" : "string" } } ] } }, "implemented-components" : { "type" : "object", "minProperties" : 1, "additionalProperties" : { "allOf" : [ { "type" : "object", "$ref" : "#/definitions/implemented-component" }, { "not" : { "type" : "string" } } ] } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "asset-id", "description" ], "additionalProperties" : false }, "implemented-component" : { "title" : "Implemented Component", "description" : "The set of componenets that are implemented in a given system inventory item.", "$id" : "#/definitions/implemented-component", "type" : "object", "properties" : { "use" : { "title" : "Implementation Use Type", "description" : "The type of implementation", "type" : "string" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "links" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/link" } }, "responsible-parties" : { "type" : "object", "minProperties" : 1, "additionalProperties" : { "allOf" : [ { "type" : "object", "$ref" : "#/definitions/responsible-party" }, { "not" : { "type" : "string" } } ] } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "additionalProperties" : false }, "import-ssp" : { "title" : "Import System Security Plan", "description" : "Used by the assessment plan and POA&M to import information about the system.", "$id" : "#/definitions/import-ssp", "type" : "object", "properties" : { "href" : { "title" : "hypertext reference", "description" : "A link to a document or document fragment (actual, nominal or projected)", "type" : "string", "format" : "uri-reference" }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "href" ], "additionalProperties" : false }, "subject-reference" : { "title" : "Identifies the Subject", "description" : "A pointer to a resource based on its ID. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.", "$id" : "#/definitions/subject-reference", "type" : "object", "properties" : { "uuid-ref" : { "title" : "UUID Reference", "description" : "A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "type" : { "title" : "Type", "description" : "Indicating the type of identifier, address, email or other data item.", "type" : "string" }, "title" : { "$ref" : "#/definitions/title" }, "props" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } } }, "required" : [ "uuid-ref", "type" ], "additionalProperties" : false }, "compare-to" : { "title" : "Compare To", "description" : "Typically used in when copying content from the assessment plan to the assessment results. The uuid should be changed in the assessment results file, and the compare-to field should be set to the original assessment plan uuid value. This enables the plan and results to be compared later to identify what changed between the two.", "$id" : "#/definitions/compare-to", "type" : "string" }, "schedule" : { "title" : "Schedule", "description" : "Identifies the schedule for the assessment activities.", "$id" : "#/definitions/schedule", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "tasks" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/task" } } }, "required" : [ "tasks" ], "additionalProperties" : false }, "task" : { "title" : "Task", "description" : "Identifies an individual task.", "$id" : "#/definitions/task", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "title" : { "$ref" : "#/definitions/title" }, "description" : { "$ref" : "#/definitions/description" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "start" : { "$ref" : "#/definitions/start" }, "end" : { "$ref" : "#/definitions/end" }, "activity-uuids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/activity-uuid" } }, "role-ids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/role-id" } }, "party-uuids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/party-uuid" } }, "location-uuids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/location-uuid" } }, "compare-to" : { "$ref" : "#/definitions/compare-to" }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "uuid" ], "additionalProperties" : false }, "start" : { "title" : "Start", "description" : "Identifies the start of a task.", "$id" : "#/definitions/start", "type" : "string", "format" : "date-time", "pattern" : "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" }, "end" : { "title" : "End", "description" : "Identifies the end of a task.", "$id" : "#/definitions/end", "type" : "string", "format" : "date-time", "pattern" : "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" }, "activity-uuid" : { "title" : "Activity ID", "description" : "Links the task to a defined activity.", "$id" : "#/definitions/activity-uuid", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "results" : { "title" : "Assessment Results", "description" : "Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.", "$id" : "#/definitions/results", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "title" : { "$ref" : "#/definitions/title" }, "description" : { "$ref" : "#/definitions/description" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "start" : { "$ref" : "#/definitions/start" }, "end" : { "$ref" : "#/definitions/end" }, "findings" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/finding" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "uuid", "title", "description", "start", "end", "findings" ], "additionalProperties" : false }, "finding" : { "title" : "Finding", "description" : "Describes an individual finding.", "$id" : "#/definitions/finding", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "title" : { "$ref" : "#/definitions/title" }, "description" : { "$ref" : "#/definitions/description" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "date-time-stamp" : { "$ref" : "#/definitions/date-time-stamp" }, "objective-status" : { "$ref" : "#/definitions/objective-status" }, "implementation-statement-uuid" : { "$ref" : "#/definitions/implementation-statement-uuid" }, "observations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/observation" } }, "threat-ids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/threat-id" } }, "risks" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/risk" } }, "party-uuids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/party-uuid" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "uuid", "title", "description", "date-time-stamp" ], "additionalProperties" : false }, "implementation-statement-uuid" : { "title" : "Implementation Statement UUID", "description" : "Identifies the implementation statement in the SSP to which this finding is related.", "$id" : "#/definitions/implementation-statement-uuid", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "date-time-stamp" : { "title" : "Date/Time Stamp", "description" : "Date/time stamp identifying when the information was collected.", "$id" : "#/definitions/date-time-stamp", "type" : "string", "format" : "date-time", "pattern" : "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" }, "objective-status" : { "title" : "Implementation Status", "description" : "Captures an assessors conclusions as to whether an objective is fully satisfied.", "$id" : "#/definitions/objective-status", "type" : "object", "properties" : { "objective-id" : { "title" : "Objective ID", "description" : "Points to an assessment objective.", "type" : "string" }, "control-id" : { "title" : "Control Identifier Reference", "description" : "A reference to a control identifier.", "type" : "string" }, "title" : { "$ref" : "#/definitions/title" }, "description" : { "$ref" : "#/definitions/description" }, "result" : { "$ref" : "#/definitions/result" }, "implementation-status" : { "$ref" : "#/definitions/implementation-status" }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "additionalProperties" : false }, "result" : { "title" : "Result", "description" : "A brief indication as to whether the objective is satisfied or not.", "$id" : "#/definitions/result", "type" : "object", "properties" : { "system" : { "title" : "Assessment System", "description" : "Identifies the framework or rules to which this value conforms.", "type" : "string", "format" : "uri" }, "STRVALUE" : { "type" : "string" } }, "required" : [ "STRVALUE" ], "additionalProperties" : false }, "implementation-status" : { "title" : "Implementation Status", "description" : "Identifies the implementation status of the control or control objective.", "$id" : "#/definitions/implementation-status", "type" : "object", "properties" : { "system" : { "title" : "Assessment System", "description" : "Identifies the framework or rules to which this value conforms.", "type" : "string", "format" : "uri" }, "STRVALUE" : { "type" : "string" } }, "required" : [ "STRVALUE" ], "additionalProperties" : false }, "observation" : { "title" : "Objective", "description" : "Describes an individual observation.", "$id" : "#/definitions/observation", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "title" : { "$ref" : "#/definitions/title" }, "description" : { "$ref" : "#/definitions/description" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "observation-methods" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/observation-method" } }, "observation-types" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/observation-type" } }, "assessors" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/assessor" } }, "subject-references" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/subject-reference" } }, "origins" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/origin" } }, "evidence-group" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/relevant-evidence" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "uuid", "description", "observation-methods" ], "additionalProperties" : false }, "relevant-evidence" : { "title" : "Relevant Evidence", "description" : "Links this observation to relevant evidence.", "$id" : "#/definitions/relevant-evidence", "type" : "object", "properties" : { "href" : { "description" : "Links to evidence as URI. May use a URI fragment to point to a resource in the back-matter.", "type" : "string", "format" : "uri-reference" }, "description" : { "$ref" : "#/definitions/description" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "description" ], "additionalProperties" : false }, "assessor" : { "title" : "Assessor", "description" : "Identifies an individual who gathered the evidence resulting in the observation or risk identification.", "$id" : "#/definitions/assessor", "type" : "object", "properties" : { "party-uuid" : { "title" : "Party UUID", "description" : "The UUID of the assessor who collected the evidence or made the observation.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "STRVALUE" : { "type" : "string" } }, "required" : [ "STRVALUE", "party-uuid" ], "additionalProperties" : false }, "origin" : { "title" : "Origin", "description" : "Identifies the tool or activity that resulted in the observation.", "$id" : "#/definitions/origin", "type" : "object", "properties" : { "uuid-ref" : { "title" : "UUID Reference", "description" : "A pointer to a relevant item, using it's UUID.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "type" : { "title" : "Type", "description" : "Indicating the type of identifier, address, email or other data item.", "type" : "string", "enum" : [ "tool", "test-method", "task", "included-activity", "other" ] }, "STRVALUE" : { "type" : "string" } }, "required" : [ "STRVALUE", "uuid-ref", "type" ], "additionalProperties" : false }, "observation-method" : { "title" : "Observation Method", "description" : "Identifies how the observation was made.", "$id" : "#/definitions/observation-method", "type" : "string" }, "observation-type" : { "title" : "Observation Type", "description" : "Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.", "$id" : "#/definitions/observation-type", "type" : "string" }, "threat-id" : { "title" : "Threat ID", "description" : "A pointer, by ID, to an externally-defined threat.", "$id" : "#/definitions/threat-id", "type" : "object", "properties" : { "system" : { "title" : "Threat Type Identification System", "description" : "Specifies the source of the threat information.", "type" : "string", "format" : "uri" }, "uri" : { "title" : "URI", "description" : "An optional location for the threat data, from which this ID originates.", "type" : "string", "format" : "uri" }, "STRVALUE" : { "type" : "string" } }, "required" : [ "STRVALUE", "system" ], "additionalProperties" : false }, "risk" : { "title" : "Identified Risk", "description" : "An identified risk.", "$id" : "#/definitions/risk", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "title" : { "$ref" : "#/definitions/title" }, "description" : { "$ref" : "#/definitions/description" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "risk-metrics" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/risk-metric" } }, "risk-statement" : { "$ref" : "#/definitions/risk-statement" }, "mitigating-factors" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/mitigating-factor" } }, "remediation-group" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/remediation" } }, "risk-status" : { "$ref" : "#/definitions/risk-status" }, "closure-actions" : { "$ref" : "#/definitions/closure-actions" }, "remediation-tracking" : { "$ref" : "#/definitions/remediation-tracking" }, "party-uuids" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/party-uuid" } } }, "required" : [ "uuid", "title", "description", "risk-statement", "risk-status" ], "additionalProperties" : false }, "risk-metric" : { "title" : "Risk Metric", "description" : "An individual risk metric from a specified system.", "$id" : "#/definitions/risk-metric", "type" : "object", "properties" : { "name" : { "title" : "Name", "description" : "Identifying the purpose and intended use of the property, part or other object.", "type" : "string" }, "class" : { "title" : "Class", "description" : "Indicating the type or classification of the containing object", "type" : "string" }, "system" : { "title" : "System", "description" : "Specifies the system represented by this risk metric.", "type" : "string" }, "STRVALUE" : { "type" : "string" } }, "required" : [ "STRVALUE", "name" ], "additionalProperties" : false }, "remediation-tracking" : { "title" : "Remediation Tracking", "description" : "A log of events and actions taken towards the remediation of the associated risk.", "$id" : "#/definitions/remediation-tracking", "type" : "object", "properties" : { "tracking-entries" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/tracking-entry" } } }, "required" : [ "tracking-entries" ], "additionalProperties" : false }, "tracking-entry" : { "title" : "Tracking Entry", "description" : "Individual remediation tracking entry, which logs an event or action taken towards the remediation of the associated risk.", "$id" : "#/definitions/tracking-entry", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "type" : { "title" : "Type", "description" : "Indicating the type of identifier, address, email or other data item.", "type" : "string" }, "date-time-stamp" : { "$ref" : "#/definitions/date-time-stamp" }, "title" : { "$ref" : "#/definitions/title" }, "description" : { "$ref" : "#/definitions/description" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "uuid", "date-time-stamp", "description" ], "additionalProperties" : false }, "required" : { "title" : "Required", "description" : "Identifies something required to achieve remediation.", "$id" : "#/definitions/required", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "subject-references" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/subject-reference" } }, "title" : { "$ref" : "#/definitions/title" }, "description" : { "$ref" : "#/definitions/description" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "uuid", "description" ], "additionalProperties" : false }, "risk-status" : { "title" : "Status", "description" : "Describes the status of the associated risk.", "$id" : "#/definitions/risk-status", "type" : "string" }, "closure-actions" : { "title" : "Closer Actions", "description" : "Describes the actions taken that resulted in the closure of the identified risk.", "$id" : "#/definitions/closure-actions", "type" : "string" }, "mitigating-factor" : { "title" : "Mitigating Factor", "description" : "Describes a mitigating factor with an optional link to an implementation statement in the SSP.", "$id" : "#/definitions/mitigating-factor", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "implementation-uuid" : { "title" : "Implementation UUID", "description" : "Points to an implementation statement in the SSP.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "description" : { "$ref" : "#/definitions/description" }, "subject-references" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/subject-reference" } } }, "required" : [ "uuid", "description" ], "additionalProperties" : false }, "remediation" : { "title" : "Remediation", "description" : "Describes either recommendation or an actual plan for remediating the risk.", "$id" : "#/definitions/remediation", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "type" : { "title" : "Type", "description" : "Indicating the type of identifier, address, email or other data item.", "type" : "string" }, "title" : { "$ref" : "#/definitions/title" }, "description" : { "$ref" : "#/definitions/description" }, "properties" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/prop" } }, "annotations" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/annotation" } }, "origins" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/remediation-origin" } }, "requirements" : { "type" : "array", "minItems" : 1, "items" : { "$ref" : "#/definitions/required" } }, "schedule" : { "$ref" : "#/definitions/schedule" }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "required" : [ "uuid", "title", "description" ], "additionalProperties" : false }, "remediation-origin" : { "title" : "Remediation Origin", "description" : "Points to the source of the remediation recommendation or plan", "$id" : "#/definitions/remediation-origin", "type" : "object", "properties" : { "uuid-ref" : { "title" : "UUID Reference", "description" : "A pointer to a relevant item, using it's UUID.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "type" : { "title" : "Type", "description" : "Indicating the type of identifier, address, email or other data item.", "type" : "string" }, "STRVALUE" : { "type" : "string" } }, "required" : [ "STRVALUE", "uuid-ref" ], "additionalProperties" : false }, "risk-statement" : { "title" : "Risk Statement", "description" : "Describes the risk.", "$id" : "#/definitions/risk-statement", "type" : "string" }, "plan-of-action-and-milestones" : { "title" : "Plan of Action and Milestones (POA&M)", "description" : "A plan of action and milestones, such as those required by FedRAMP.", "$id" : "#/definitions/plan-of-action-and-milestones", "type" : "object", "properties" : { "uuid" : { "title" : "Universally Unique Identifier", "description" : "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.", "type" : "string", "pattern" : "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" }, "metadata" : { "$ref" : "#/definitions/metadata" }, "import-ssp" : { "$ref" : "#/definitions/import-ssp" }, "system-id" : { "$ref" : "#/definitions/system-id" }, "local-definitions" : { "$ref" : "#/definitions/local-definitions" }, "results" : { "$ref" : "#/definitions/results" }, "back-matter" : { "$ref" : "#/definitions/back-matter" } }, "required" : [ "uuid", "metadata", "results" ], "additionalProperties" : false }, "local-definitions" : { "title" : "Local Definitions", "description" : "Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.", "$id" : "#/definitions/local-definitions", "type" : "object", "properties" : { "components" : { "type" : "object", "minProperties" : 1, "additionalProperties" : { "allOf" : [ { "type" : "object", "$ref" : "#/definitions/component" }, { "not" : { "type" : "string" } } ] } }, "inventory-items" : { "type" : "object", "minProperties" : 1, "additionalProperties" : { "allOf" : [ { "type" : "object", "$ref" : "#/definitions/inventory-item" }, { "not" : { "type" : "string" } } ] } }, "remarks" : { "$ref" : "#/definitions/remarks" } }, "additionalProperties" : false } }, "properties" : { "plan-of-action-and-milestones" : { "$ref" : "#/definitions/plan-of-action-and-milestones" } }, "required" : [ "plan-of-action-and-milestones" ] }