OSCAL Assessment Plan Format
{
"title": "Activity ID",
"description": "Links the task to a defined activity.",
"$id": "#/definitions/activity-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Address line",
"description": "A single line of an address.",
"$id": "#/definitions/addr-line",
"type": "string"
}
{
"title": "Address",
"description": "A postal address.",
"$id": "#/definitions/address",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of address.",
"type": "string"
},
"postal-address": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/addr-line"
}
},
"city": {
"$ref": "#/definitions/city"
},
"state": {
"$ref": "#/definitions/state"
},
"postal-code": {
"$ref": "#/definitions/postal-code"
},
"country": {
"$ref": "#/definitions/country"
}
},
"additionalProperties": false
}
{
"title": "All",
"description": "A key word to indicate all",
"$id": "#/definitions/all",
"type": "string"
}
{
"title": "Annotation",
"description": "A name/value pair with optional explanatory remarks.",
"$id": "#/definitions/annotation",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"value": {
"title": "Value",
"description": "Indicates the value of the characteristic.",
"type": "string"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Assessment Activities",
"description": "Identifies the assessment activities and schedule. In the assessment plan, these are planned activities. In the assessment results, these are the actual activities performed.",
"$id": "#/definitions/assessment-activities",
"type": "object",
"properties": {
"test-methods": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/test-method"
}
},
"schedule": {
"$ref": "#/definitions/schedule"
},
"include-activities": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/include-activity"
}
},
"exclude-activities": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/exclude-activity"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Assessment Method",
"description": "Identifies a method for assessing the satisfaction of this objective.",
"$id": "#/definitions/assessment-method",
"type": "object",
"properties": {
"method-uuid": {
"title": "Method ID",
"description": "Identifies the assessment method.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"method-uuid"
],
"additionalProperties": false
}
{
"title": "Security Assessment Plan (SAP)",
"description": "An assessment plan, such as those provided by a FedRAMP assessor.",
"$id": "#/definitions/assessment-plan",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"metadata": {
"$ref": "#/definitions/metadata"
},
"import-ssp": {
"$ref": "#/definitions/import-ssp"
},
"objectives": {
"$ref": "#/definitions/objectives"
},
"assessment-subjects": {
"$ref": "#/definitions/assessment-subjects"
},
"assets": {
"$ref": "#/definitions/assets"
},
"assessment-activities": {
"$ref": "#/definitions/assessment-activities"
},
"back-matter": {
"$ref": "#/definitions/back-matter"
}
},
"required": [
"uuid",
"metadata",
"import-ssp",
"objectives"
],
"additionalProperties": false
}
{
"title": "Subject of Assessment",
"description": "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies the planned assessment subject. In the assessment results this is the actual assessment subject, and reflects any changes from the plan.",
"$id": "#/definitions/assessment-subjects",
"type": "object",
"properties": {
"includes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/include-subject"
}
},
"excludes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/exclude-subject"
}
},
"local-definitions": {
"$ref": "#/definitions/local-definitions"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"includes"
],
"additionalProperties": false
}
{
"title": "Assessment Assets",
"description": "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.",
"$id": "#/definitions/assets",
"type": "object",
"properties": {
"tools": {
"$ref": "#/definitions/tools"
},
"origination": {
"$ref": "#/definitions/origination"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"parts": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/part"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Privilege",
"description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.",
"$id": "#/definitions/authorized-privilege",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"functions-performed": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/function-performed"
}
}
},
"required": [
"title",
"functions-performed"
],
"additionalProperties": false
}
{
"title": "Back matter",
"description": "A collection of citations and resource references.",
"$id": "#/definitions/back-matter",
"type": "object",
"properties": {
"resources": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/resource"
}
}
},
"additionalProperties": false
}
{
"title": "Base64",
"description": "",
"$id": "#/definitions/base64",
"type": "object",
"properties": {
"filename": {
"title": "File Name",
"description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value"
],
"additionalProperties": false
}
{
"title": "Bibliographic Definition",
"description": "A container in which a set of bibliographic information can included. The model of this information is undefined by OSCAL.",
"$id": "#/definitions/biblio",
"type": "object",
"additionalProperties": false
}
{
"title": "Citation",
"description": "A citation consisting of end note text and optional structured bibliographic data.",
"$id": "#/definitions/citation",
"type": "object",
"properties": {
"text": {
"$ref": "#/definitions/text"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"biblio": {
"$ref": "#/definitions/biblio"
}
},
"required": [
"text"
],
"additionalProperties": false
}
{
"title": "City",
"description": "City, town or geographical region for mailing address",
"$id": "#/definitions/city",
"type": "string"
}
{
"title": "Compare To",
"description": "Typically used in when copying content from the assessment plan to the assessment results. The uuid should be changed in the assessment results file, and the compare-to field should be set to the original assessment plan uuid value. This enables the plan and results to be compared later to identify what changed between the two.",
"$id": "#/definitions/compare-to",
"type": "string"
}
{
"title": "Component",
"description": "A defined component that can be part of an implemented system.",
"$id": "#/definitions/component",
"type": "object",
"properties": {
"component-type": {
"title": "Component Type",
"description": "A category describing the purpose of the component.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"purpose": {
"$ref": "#/definitions/purpose"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"status": {
"$ref": "#/definitions/status"
},
"responsible-roles": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-role"
},
{
"not": {
"type": "string"
}
}
]
}
},
"protocols": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/protocol"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"component-type",
"title",
"description",
"status"
],
"additionalProperties": false
}
{
"title": "Control Objectives",
"description": "Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the actual objectives, and reflects any changes from the plan.",
"$id": "#/definitions/control-objectives",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"all": {
"$ref": "#/definitions/all"
},
"include-objectives": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/include-objective"
}
},
"exclude-objectives": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/exclude-objective"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Assessed Controls",
"description": "Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.",
"$id": "#/definitions/controls",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"all": {
"$ref": "#/definitions/all"
},
"include-controls": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/include-control"
}
},
"exclude-controls": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/exclude-control"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Country",
"description": "Country for mailing address",
"$id": "#/definitions/country",
"type": "string"
}
{
"title": "Description",
"description": "A short textual description",
"$id": "#/definitions/desc",
"type": "string"
}
{
"title": "Description",
"description": "A description supporting the parent item.",
"$id": "#/definitions/description",
"type": "string"
}
{
"title": "Document Identifier",
"description": "A document identifier qualified by an identifier type.",
"$id": "#/definitions/doc-id",
"type": "object",
"properties": {
"type": {
"description": "Qualifies the kind of document identifier.",
"type": "string"
},
"identifier": {
"type": "string"
}
},
"required": [
"identifier",
"type"
],
"additionalProperties": false
}
{
"title": "Email",
"description": "Email address",
"$id": "#/definitions/email",
"type": "string",
"format": "email",
"pattern": "^.+@.+"
}
{
"title": "End",
"description": "Identifies the end of a task.",
"$id": "#/definitions/end",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Included Activity",
"description": "Identifies an activity explicitly excluded from the assessment. In the assessment plan, this clarifies activities that are out-of-scope or prohibited. In the assessment results, this could be used to explicitly identify an activity that was planned, but not performed.",
"$id": "#/definitions/exclude-activity",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Exclude Control",
"description": "Identifies an individual control to exclude.",
"$id": "#/definitions/exclude-control",
"type": "object",
"properties": {
"control-id": {
"title": "Control Identifier Reference",
"description": "A reference to a control identifier.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"control-id"
],
"additionalProperties": false
}
{
"title": "Exclude Objective",
"description": "Identifies an individual control objective to exclude.",
"$id": "#/definitions/exclude-objective",
"type": "object",
"properties": {
"objective-id": {
"title": "Objective ID",
"description": "Points to an assessment objective.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"objective-id"
],
"additionalProperties": false
}
{
"title": "Excluded Assessment Subject",
"description": "Identifies what is explicitly excluded from this assessment. Used to remove a subset of items from groups of explicitly included items. Also used to explicitly clarify off-limit items, such as hosts to avoid scanning.",
"$id": "#/definitions/exclude-subject",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"all": {
"$ref": "#/definitions/all"
},
"subject-references": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/subject-reference"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name",
"description"
],
"additionalProperties": false
}
{
"title": "Personal Identifier",
"description": "An identifier for a person (such as an ORCID) using a designated scheme.",
"$id": "#/definitions/external-id",
"type": "object",
"properties": {
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"id": {
"type": "string"
}
},
"required": [
"id",
"type"
],
"additionalProperties": false
}
{
"title": "Functions Performed",
"description": "Describes a function performed for a given authorized privilege by this user class.",
"$id": "#/definitions/function-performed",
"type": "string"
}
{
"title": "Hash",
"description": "A representation of a cryptographic digest generated over a resource using a hash algorithm.",
"$id": "#/definitions/hash",
"type": "object",
"properties": {
"algorithm": {
"title": "Hash algorithm",
"description": "Method by which a hash is derived",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"algorithm"
],
"additionalProperties": false
}
{
"title": "Implemented Component",
"description": "The set of componenets that are implemented in a given system inventory item.",
"$id": "#/definitions/implemented-component",
"type": "object",
"properties": {
"use": {
"title": "Implementation Use Type",
"description": "The type of implementation",
"type": "string"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Import System Security Plan",
"description": "Used by the assessment plan and POA&M to import information about the system.",
"$id": "#/definitions/import-ssp",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Included Activity",
"description": "Identifies an assessment activity. In the assessment plan, this is an intended/in-scope activity. In the assessment results, this identifies an activity that was actually performed.",
"$id": "#/definitions/include-activity",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Include Control",
"description": "Identifies an individual control to include.",
"$id": "#/definitions/include-control",
"type": "object",
"properties": {
"control-id": {
"title": "Control Identifier Reference",
"description": "A reference to a control identifier.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"control-id"
],
"additionalProperties": false
}
{
"title": "Include Objective",
"description": "Identifies an individual control objective to include.",
"$id": "#/definitions/include-objective",
"type": "object",
"properties": {
"objective-id": {
"title": "Objective ID",
"description": "Points to an assessment objective.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"objective-id"
],
"additionalProperties": false
}
{
"title": "Included Assessment Subject",
"description": "Identifies exactly what will be the focus of this assessment. Anything not explicitly defined is out-of-scope.",
"$id": "#/definitions/include-subject",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"all": {
"$ref": "#/definitions/all"
},
"subject-references": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/subject-reference"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name",
"description"
],
"additionalProperties": false
}
{
"title": "Inventory Item",
"description": "A single managed inventory item within the system.",
"$id": "#/definitions/inventory-item",
"type": "object",
"properties": {
"asset-id": {
"title": "Asset Identifier",
"description": "Organizational asset identifier that is unique in the context of the system. This may be a reference to the identifier used in an asset tracking system or a vulnerability scanning tool.",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"implemented-components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/implemented-component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"asset-id",
"description"
],
"additionalProperties": false
}
{
"title": "Last modified timestamp",
"description": "Date and time of last modification.",
"$id": "#/definitions/last-modified",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Link",
"description": "A reference to a local or remote resource",
"$id": "#/definitions/link",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"rel": {
"title": "Relation",
"description": "Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.",
"type": "string"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"text": {
"type": "string"
}
},
"required": [
"text",
"href"
],
"additionalProperties": false
}
{
"title": "Local Definitions",
"description": "Allows control objectives, users, components, and inventory-items to be defined within the assessment plan or assessment results for circumstances where they are not appropriately defined in the SSP. NOTE: Use the assessment plan or assessment results metadata to define additional locations if needed.",
"$id": "#/definitions/local-definitions",
"type": "object",
"properties": {
"components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"inventory-items": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/inventory-item"
},
{
"not": {
"type": "string"
}
}
]
}
},
"users": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/user"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Location",
"description": "A location, with associated metadata that can be referenced.",
"$id": "#/definitions/location",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"address": {
"$ref": "#/definitions/address"
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"URLs": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/url"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"address"
],
"additionalProperties": false
}
{
"title": "Location Reference",
"description": "References a location defined in metadata.",
"$id": "#/definitions/location-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Organizational Affiliation",
"description": "Identifies that the containing object is a member of the organization associated with the provided UUID.",
"$id": "#/definitions/member-of-organization",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Publication metadata",
"description": "Provides information about the publication and availability of the containing document.",
"$id": "#/definitions/metadata",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"revision-history": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/revision"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"roles": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role"
}
},
"locations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location"
}
},
"parties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"title",
"last-modified",
"version",
"oscal-version"
],
"additionalProperties": false
}
{
"title": "Assessment Method",
"description": "A local definition of a control objective. Uses catalog syntax for control objective and assessment actions.",
"$id": "#/definitions/method",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"part": {
"$ref": "#/definitions/part"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"part"
],
"additionalProperties": false
}
{
"title": "Control Objective",
"description": "A local definition of a control objective. Uses catalog syntax for control objective and assessment actions.",
"$id": "#/definitions/objective",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"control-id": {
"title": "Control Identifier Reference",
"description": "A reference to a control identifier.",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"part": {
"$ref": "#/definitions/part"
},
"methods": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/assessment-method"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"id",
"control-id",
"part"
],
"additionalProperties": false
}
{
"title": "Objectives of Assessment",
"description": "Identifies the controls and control being assessed and their control objectives. In the assessment plans, these are the planned controls and objectives. In the assessment results, these are the actual controls and objectives, and reflects any changes from the plan.",
"$id": "#/definitions/objectives",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"control-group": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/controls"
}
},
"control-objective-group": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/control-objectives"
}
},
"objective": {
"$ref": "#/definitions/objective"
},
"method-definitions": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/method"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"control-group"
],
"additionalProperties": false
}
{
"title": "Assessment Origination",
"description": "Identifies the origination of network-based assessment activities, such as the IP address of the tool performing assessment scans.",
"$id": "#/definitions/origination",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
}
},
"required": [
"title"
],
"additionalProperties": false
}
{
"title": "OSCAL version",
"description": "OSCAL model version.",
"$id": "#/definitions/oscal-version",
"type": "string"
}
{
"title": "Part",
"description": "A partition or component of a control or part",
"$id": "#/definitions/part",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"prose": {
"$ref": "#/definitions/prose"
},
"parts": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/part"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Party (organization or person)",
"description": "A responsible entity, either singular (an organization or person) or collective (multiple persons)",
"$id": "#/definitions/party",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Party Type",
"description": "A category describing the kind of party the object describes.",
"type": "string",
"enum": [
"person",
"organization"
]
},
"party-name": {
"$ref": "#/definitions/party-name"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"external-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/external-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/address"
}
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"member-of-organizations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/member-of-organization"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"type",
"party-name"
],
"additionalProperties": false
}
{
"title": "Party Name",
"description": "The full (legal) name of the party.",
"$id": "#/definitions/party-name",
"type": "string"
}
{
"title": "Party Reference",
"description": "References a party defined in metadata.",
"$id": "#/definitions/party-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Telephone",
"description": "Contact number by telephone",
"$id": "#/definitions/phone",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of phone number.",
"type": "string"
},
"number": {
"type": "string"
}
},
"required": [
"number"
],
"additionalProperties": false
}
{
"title": "Port Range",
"description": "Where applicable this is the IPv4 port range on which the service operates.",
"$id": "#/definitions/port-range",
"type": "object",
"properties": {
"start": {
"title": "Start",
"description": "Indicates the starting port number in a port range",
"type": "integer",
"multipleOf": 1,
"minimum": 0
},
"end": {
"title": "End",
"description": "Indicates the ending port number in a port range",
"type": "integer",
"multipleOf": 1,
"minimum": 0
},
"transport": {
"title": "Transport",
"description": "Indicates the transport type.",
"type": "string",
"enum": [
"TCP",
"UDP"
]
}
},
"additionalProperties": false
}
{
"title": "Postal Code",
"description": "Postal or ZIP code for mailing address",
"$id": "#/definitions/postal-code",
"type": "string"
}
{
"title": "Property",
"description": "A value with a name, attributed to the containing control, part, or group.",
"$id": "#/definitions/prop",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"name"
],
"additionalProperties": false
}
{
"title": "Prose",
"description": "Prose permits multiple paragraphs, lists, tables etc.",
"$id": "#/definitions/prose",
"type": "string"
}
{
"title": "Protocol",
"description": "Information about the protocol used to provide a service.",
"$id": "#/definitions/protocol",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"name": {
"description": "The short name of the protocol (e.g., TLS).",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"port-ranges": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/port-range"
}
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Publication Timestamp",
"description": "The date and time this document was published.",
"$id": "#/definitions/published",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Purpose",
"description": "Describes the purpose for the service within the system.",
"$id": "#/definitions/purpose",
"type": "string"
}
{
"title": "Remarks",
"description": "Additional commentary on the parent item.",
"$id": "#/definitions/remarks",
"type": "string"
}
{
"title": "Resource",
"description": "A resource associated with the present document, which may be a pointer to other data or a citation.",
"$id": "#/definitions/resource",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"citation": {
"$ref": "#/definitions/citation"
},
"rlinks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/rlink"
}
},
"attachments": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/base64"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Responsible Party",
"description": "A reference to a set of organizations or persons that have responsibility for performing a referenced role relative to the parent context.",
"$id": "#/definitions/responsible-party",
"type": "object",
"properties": {
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"party-uuids"
],
"additionalProperties": false
}
{
"title": "Responsible Role",
"description": "A reference to one or more roles with responsibility for performing a function relative to the control.",
"$id": "#/definitions/responsible-role",
"type": "object",
"properties": {
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"party-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Revision History Entry",
"description": "An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).",
"$id": "#/definitions/revision",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Resource link",
"description": "A pointer to an external copy of a document with optional hash for verification",
"$id": "#/definitions/rlink",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"hashes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/hash"
}
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Role",
"description": "Defining a role to be assigned to a party",
"$id": "#/definitions/role",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"id",
"title"
],
"additionalProperties": false
}
{
"title": "Role Identifier Reference",
"description": "A reference to the roles served by the user.",
"$id": "#/definitions/role-id",
"type": "string"
}
{
"title": "Schedule",
"description": "Identifies the schedule for the assessment activities.",
"$id": "#/definitions/schedule",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"tasks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/task"
}
}
},
"required": [
"tasks"
],
"additionalProperties": false
}
{
"title": "Sequence Number",
"description": "Identifies the sequence number for the test step.",
"$id": "#/definitions/sequence",
"type": "integer"
}
{
"title": "short-name",
"description": "A common name, short name or acronym",
"$id": "#/definitions/short-name",
"type": "string"
}
{
"title": "Start",
"description": "Identifies the start of a task.",
"$id": "#/definitions/start",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "State",
"description": "State, province or analogous geographical region for mailing address",
"$id": "#/definitions/state",
"type": "string"
}
{
"title": "Status",
"description": "Describes the operational status of the system.",
"$id": "#/definitions/status",
"type": "object",
"properties": {
"state": {
"title": "State",
"description": "The current operating status.",
"type": "string",
"enum": [
"operational",
"under-development",
"under-major-modification",
"disposition",
"other"
]
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"state"
],
"additionalProperties": false
}
{
"title": "Identifies the Subject",
"description": "A pointer to a resource based on its ID. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.",
"$id": "#/definitions/subject-reference",
"type": "object",
"properties": {
"uuid-ref": {
"title": "UUID Reference",
"description": "A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"props": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
}
},
"required": [
"uuid-ref",
"type"
],
"additionalProperties": false
}
{
"title": "Task",
"description": "Identifies an individual task.",
"$id": "#/definitions/task",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"start": {
"$ref": "#/definitions/start"
},
"end": {
"$ref": "#/definitions/end"
},
"activity-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/activity-uuid"
}
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Test Method",
"description": "Identifies an individual test method.",
"$id": "#/definitions/test-method",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"test-steps": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/test-step"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Test Steps",
"description": "Identifies an individual test step.",
"$id": "#/definitions/test-step",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"sequence": {
"$ref": "#/definitions/sequence"
},
"description": {
"$ref": "#/definitions/description"
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Text",
"description": "A line of textual content whose semantic is determined by the context of use.",
"$id": "#/definitions/text",
"type": "string"
}
{
"title": "Title",
"description": "A title for display and navigation",
"$id": "#/definitions/title",
"type": "string"
}
{
"title": "Assessment Assets",
"description": "The technology tools used by the assessor to perform the assessment, such as vulnerability scanners. In the assessment plan these are the intended tools. In the assessment results, these are the actual tools used, including any differences from the assessment plan.",
"$id": "#/definitions/tools",
"type": "object",
"properties": {
"components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/component"
},
{
"not": {
"type": "string"
}
}
]
}
}
},
"additionalProperties": false
}
{
"title": "URL",
"description": "URL for web site or Internet presence",
"$id": "#/definitions/url",
"type": "string",
"format": "uri"
}
{
"title": "System User Class",
"description": "A type of user that interacts with the system based on an associated role.",
"$id": "#/definitions/user",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"authorized-privileges": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/authorized-privilege"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"role-ids"
],
"additionalProperties": false
}
{
"title": "Document version",
"description": "The version of the document content.",
"$id": "#/definitions/version",
"type": "string"
}
OSCAL Assessment Results Format
{
"title": "Activity ID",
"description": "Links the task to a defined activity.",
"$id": "#/definitions/activity-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Address line",
"description": "A single line of an address.",
"$id": "#/definitions/addr-line",
"type": "string"
}
{
"title": "Address",
"description": "A postal address.",
"$id": "#/definitions/address",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of address.",
"type": "string"
},
"postal-address": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/addr-line"
}
},
"city": {
"$ref": "#/definitions/city"
},
"state": {
"$ref": "#/definitions/state"
},
"postal-code": {
"$ref": "#/definitions/postal-code"
},
"country": {
"$ref": "#/definitions/country"
}
},
"additionalProperties": false
}
{
"title": "All",
"description": "A key word to indicate all",
"$id": "#/definitions/all",
"type": "string"
}
{
"title": "Annotation",
"description": "A name/value pair with optional explanatory remarks.",
"$id": "#/definitions/annotation",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"value": {
"title": "Value",
"description": "Indicates the value of the characteristic.",
"type": "string"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Assessment Activities",
"description": "Identifies the assessment activities and schedule. In the assessment plan, these are planned activities. In the assessment results, these are the actual activities performed.",
"$id": "#/definitions/assessment-activities",
"type": "object",
"properties": {
"test-methods": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/test-method"
}
},
"schedule": {
"$ref": "#/definitions/schedule"
},
"include-activities": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/include-activity"
}
},
"exclude-activities": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/exclude-activity"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Assessment Method",
"description": "Identifies a method for assessing the satisfaction of this objective.",
"$id": "#/definitions/assessment-method",
"type": "object",
"properties": {
"method-uuid": {
"title": "Method ID",
"description": "Identifies the assessment method.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"method-uuid"
],
"additionalProperties": false
}
{
"title": "Security Assessment Results (SAR)",
"description": "Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.",
"$id": "#/definitions/assessment-results",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"metadata": {
"$ref": "#/definitions/metadata"
},
"import-ap": {
"$ref": "#/definitions/import-ap"
},
"objectives": {
"$ref": "#/definitions/objectives"
},
"assessment-subjects": {
"$ref": "#/definitions/assessment-subjects"
},
"assets": {
"$ref": "#/definitions/assets"
},
"assessment-activities": {
"$ref": "#/definitions/assessment-activities"
},
"results_group": {
"anyOf": [
{
"$ref": "#/definitions/results"
},
{
"type": "array",
"items": {
"$ref": "#/definitions/results"
},
"minItems": 2
}
]
},
"back-matter": {
"$ref": "#/definitions/back-matter"
}
},
"required": [
"uuid",
"metadata",
"import-ap",
"objectives",
"results_group"
],
"additionalProperties": false
}
{
"title": "Subject of Assessment",
"description": "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies the planned assessment subject. In the assessment results this is the actual assessment subject, and reflects any changes from the plan.",
"$id": "#/definitions/assessment-subjects",
"type": "object",
"properties": {
"includes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/include-subject"
}
},
"excludes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/exclude-subject"
}
},
"local-definitions": {
"$ref": "#/definitions/local-definitions"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"includes"
],
"additionalProperties": false
}
{
"title": "Assessor",
"description": "Identifies an individual who gathered the evidence resulting in the observation or risk identification.",
"$id": "#/definitions/assessor",
"type": "object",
"properties": {
"party-uuid": {
"title": "Party UUID",
"description": "The UUID of the assessor who collected the evidence or made the observation.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"party-uuid"
],
"additionalProperties": false
}
{
"title": "Assessment Assets",
"description": "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.",
"$id": "#/definitions/assets",
"type": "object",
"properties": {
"tools": {
"$ref": "#/definitions/tools"
},
"origination": {
"$ref": "#/definitions/origination"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"parts": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/part"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Privilege",
"description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.",
"$id": "#/definitions/authorized-privilege",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"functions-performed": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/function-performed"
}
}
},
"required": [
"title",
"functions-performed"
],
"additionalProperties": false
}
{
"title": "Back matter",
"description": "A collection of citations and resource references.",
"$id": "#/definitions/back-matter",
"type": "object",
"properties": {
"resources": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/resource"
}
}
},
"additionalProperties": false
}
{
"title": "Base64",
"description": "",
"$id": "#/definitions/base64",
"type": "object",
"properties": {
"filename": {
"title": "File Name",
"description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value"
],
"additionalProperties": false
}
{
"title": "Bibliographic Definition",
"description": "A container in which a set of bibliographic information can included. The model of this information is undefined by OSCAL.",
"$id": "#/definitions/biblio",
"type": "object",
"additionalProperties": false
}
{
"title": "Citation",
"description": "A citation consisting of end note text and optional structured bibliographic data.",
"$id": "#/definitions/citation",
"type": "object",
"properties": {
"text": {
"$ref": "#/definitions/text"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"biblio": {
"$ref": "#/definitions/biblio"
}
},
"required": [
"text"
],
"additionalProperties": false
}
{
"title": "City",
"description": "City, town or geographical region for mailing address",
"$id": "#/definitions/city",
"type": "string"
}
{
"title": "Closer Actions",
"description": "Describes the actions taken that resulted in the closure of the identified risk.",
"$id": "#/definitions/closure-actions",
"type": "string"
}
{
"title": "Compare To",
"description": "Typically used in when copying content from the assessment plan to the assessment results. The uuid should be changed in the assessment results file, and the compare-to field should be set to the original assessment plan uuid value. This enables the plan and results to be compared later to identify what changed between the two.",
"$id": "#/definitions/compare-to",
"type": "string"
}
{
"title": "Component",
"description": "A defined component that can be part of an implemented system.",
"$id": "#/definitions/component",
"type": "object",
"properties": {
"component-type": {
"title": "Component Type",
"description": "A category describing the purpose of the component.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"purpose": {
"$ref": "#/definitions/purpose"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"status": {
"$ref": "#/definitions/status"
},
"responsible-roles": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-role"
},
{
"not": {
"type": "string"
}
}
]
}
},
"protocols": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/protocol"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"component-type",
"title",
"description",
"status"
],
"additionalProperties": false
}
{
"title": "Control Objectives",
"description": "Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the actual objectives, and reflects any changes from the plan.",
"$id": "#/definitions/control-objectives",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"all": {
"$ref": "#/definitions/all"
},
"include-objectives": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/include-objective"
}
},
"exclude-objectives": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/exclude-objective"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Assessed Controls",
"description": "Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.",
"$id": "#/definitions/controls",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"all": {
"$ref": "#/definitions/all"
},
"include-controls": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/include-control"
}
},
"exclude-controls": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/exclude-control"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Country",
"description": "Country for mailing address",
"$id": "#/definitions/country",
"type": "string"
}
{
"title": "Date/Time Stamp",
"description": "Date/time stamp identifying when the information was collected.",
"$id": "#/definitions/date-time-stamp",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Description",
"description": "A short textual description",
"$id": "#/definitions/desc",
"type": "string"
}
{
"title": "Description",
"description": "A description supporting the parent item.",
"$id": "#/definitions/description",
"type": "string"
}
{
"title": "Document Identifier",
"description": "A document identifier qualified by an identifier type.",
"$id": "#/definitions/doc-id",
"type": "object",
"properties": {
"type": {
"description": "Qualifies the kind of document identifier.",
"type": "string"
},
"identifier": {
"type": "string"
}
},
"required": [
"identifier",
"type"
],
"additionalProperties": false
}
{
"title": "Email",
"description": "Email address",
"$id": "#/definitions/email",
"type": "string",
"format": "email",
"pattern": "^.+@.+"
}
{
"title": "End",
"description": "Identifies the end of a task.",
"$id": "#/definitions/end",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Included Activity",
"description": "Identifies an activity explicitly excluded from the assessment. In the assessment plan, this clarifies activities that are out-of-scope or prohibited. In the assessment results, this could be used to explicitly identify an activity that was planned, but not performed.",
"$id": "#/definitions/exclude-activity",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Exclude Control",
"description": "Identifies an individual control to exclude.",
"$id": "#/definitions/exclude-control",
"type": "object",
"properties": {
"control-id": {
"title": "Control Identifier Reference",
"description": "A reference to a control identifier.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"control-id"
],
"additionalProperties": false
}
{
"title": "Exclude Objective",
"description": "Identifies an individual control objective to exclude.",
"$id": "#/definitions/exclude-objective",
"type": "object",
"properties": {
"objective-id": {
"title": "Objective ID",
"description": "Points to an assessment objective.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"objective-id"
],
"additionalProperties": false
}
{
"title": "Excluded Assessment Subject",
"description": "Identifies what is explicitly excluded from this assessment. Used to remove a subset of items from groups of explicitly included items. Also used to explicitly clarify off-limit items, such as hosts to avoid scanning.",
"$id": "#/definitions/exclude-subject",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"all": {
"$ref": "#/definitions/all"
},
"subject-references": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/subject-reference"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name",
"description"
],
"additionalProperties": false
}
{
"title": "Personal Identifier",
"description": "An identifier for a person (such as an ORCID) using a designated scheme.",
"$id": "#/definitions/external-id",
"type": "object",
"properties": {
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"id": {
"type": "string"
}
},
"required": [
"id",
"type"
],
"additionalProperties": false
}
{
"title": "Finding",
"description": "Describes an individual finding.",
"$id": "#/definitions/finding",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"date-time-stamp": {
"$ref": "#/definitions/date-time-stamp"
},
"objective-status": {
"$ref": "#/definitions/objective-status"
},
"implementation-statement-uuid": {
"$ref": "#/definitions/implementation-statement-uuid"
},
"observations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/observation"
}
},
"threat-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/threat-id"
}
},
"risks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/risk"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"title",
"description",
"date-time-stamp"
],
"additionalProperties": false
}
{
"title": "Functions Performed",
"description": "Describes a function performed for a given authorized privilege by this user class.",
"$id": "#/definitions/function-performed",
"type": "string"
}
{
"title": "Hash",
"description": "A representation of a cryptographic digest generated over a resource using a hash algorithm.",
"$id": "#/definitions/hash",
"type": "object",
"properties": {
"algorithm": {
"title": "Hash algorithm",
"description": "Method by which a hash is derived",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"algorithm"
],
"additionalProperties": false
}
{
"title": "Implementation Statement UUID",
"description": "Identifies the implementation statement in the SSP to which this finding is related.",
"$id": "#/definitions/implementation-statement-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Implementation Status",
"description": "Identifies the implementation status of the control or control objective.",
"$id": "#/definitions/implementation-status",
"type": "object",
"properties": {
"system": {
"title": "Assessment System",
"description": "Identifies the framework or rules to which this value conforms.",
"type": "string",
"format": "uri"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE"
],
"additionalProperties": false
}
{
"title": "Implemented Component",
"description": "The set of componenets that are implemented in a given system inventory item.",
"$id": "#/definitions/implemented-component",
"type": "object",
"properties": {
"use": {
"title": "Implementation Use Type",
"description": "The type of implementation",
"type": "string"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Import Assessment Plan",
"description": "Used by assessment-results to import information about the original plan for assessing the system.",
"$id": "#/definitions/import-ap",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Included Activity",
"description": "Identifies an assessment activity. In the assessment plan, this is an intended/in-scope activity. In the assessment results, this identifies an activity that was actually performed.",
"$id": "#/definitions/include-activity",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Include Control",
"description": "Identifies an individual control to include.",
"$id": "#/definitions/include-control",
"type": "object",
"properties": {
"control-id": {
"title": "Control Identifier Reference",
"description": "A reference to a control identifier.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"control-id"
],
"additionalProperties": false
}
{
"title": "Include Objective",
"description": "Identifies an individual control objective to include.",
"$id": "#/definitions/include-objective",
"type": "object",
"properties": {
"objective-id": {
"title": "Objective ID",
"description": "Points to an assessment objective.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"objective-id"
],
"additionalProperties": false
}
{
"title": "Included Assessment Subject",
"description": "Identifies exactly what will be the focus of this assessment. Anything not explicitly defined is out-of-scope.",
"$id": "#/definitions/include-subject",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"all": {
"$ref": "#/definitions/all"
},
"subject-references": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/subject-reference"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name",
"description"
],
"additionalProperties": false
}
{
"title": "Inventory Item",
"description": "A single managed inventory item within the system.",
"$id": "#/definitions/inventory-item",
"type": "object",
"properties": {
"asset-id": {
"title": "Asset Identifier",
"description": "Organizational asset identifier that is unique in the context of the system. This may be a reference to the identifier used in an asset tracking system or a vulnerability scanning tool.",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"implemented-components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/implemented-component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"asset-id",
"description"
],
"additionalProperties": false
}
{
"title": "Last modified timestamp",
"description": "Date and time of last modification.",
"$id": "#/definitions/last-modified",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Link",
"description": "A reference to a local or remote resource",
"$id": "#/definitions/link",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"rel": {
"title": "Relation",
"description": "Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.",
"type": "string"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"text": {
"type": "string"
}
},
"required": [
"text",
"href"
],
"additionalProperties": false
}
{
"title": "Local Definitions",
"description": "Allows control objectives, users, components, and inventory-items to be defined within the assessment plan or assessment results for circumstances where they are not appropriately defined in the SSP. NOTE: Use the assessment plan or assessment results metadata to define additional locations if needed.",
"$id": "#/definitions/local-definitions",
"type": "object",
"properties": {
"components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"inventory-items": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/inventory-item"
},
{
"not": {
"type": "string"
}
}
]
}
},
"users": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/user"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Location",
"description": "A location, with associated metadata that can be referenced.",
"$id": "#/definitions/location",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"address": {
"$ref": "#/definitions/address"
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"URLs": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/url"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"address"
],
"additionalProperties": false
}
{
"title": "Location Reference",
"description": "References a location defined in metadata.",
"$id": "#/definitions/location-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Organizational Affiliation",
"description": "Identifies that the containing object is a member of the organization associated with the provided UUID.",
"$id": "#/definitions/member-of-organization",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Publication metadata",
"description": "Provides information about the publication and availability of the containing document.",
"$id": "#/definitions/metadata",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"revision-history": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/revision"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"roles": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role"
}
},
"locations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location"
}
},
"parties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"title",
"last-modified",
"version",
"oscal-version"
],
"additionalProperties": false
}
{
"title": "Assessment Method",
"description": "A local definition of a control objective. Uses catalog syntax for control objective and assessment actions.",
"$id": "#/definitions/method",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"part": {
"$ref": "#/definitions/part"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"part"
],
"additionalProperties": false
}
{
"title": "Mitigating Factor",
"description": "Describes a mitigating factor with an optional link to an implementation statement in the SSP.",
"$id": "#/definitions/mitigating-factor",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"implementation-uuid": {
"title": "Implementation UUID",
"description": "Points to an implementation statement in the SSP.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"description": {
"$ref": "#/definitions/description"
},
"subject-references": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/subject-reference"
}
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Control Objective",
"description": "A local definition of a control objective. Uses catalog syntax for control objective and assessment actions.",
"$id": "#/definitions/objective",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"control-id": {
"title": "Control Identifier Reference",
"description": "A reference to a control identifier.",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"part": {
"$ref": "#/definitions/part"
},
"methods": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/assessment-method"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"id",
"control-id",
"part"
],
"additionalProperties": false
}
{
"title": "Implementation Status",
"description": "Captures an assessors conclusions as to whether an objective is fully satisfied.",
"$id": "#/definitions/objective-status",
"type": "object",
"properties": {
"objective-id": {
"title": "Objective ID",
"description": "Points to an assessment objective.",
"type": "string"
},
"control-id": {
"title": "Control Identifier Reference",
"description": "A reference to a control identifier.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"result": {
"$ref": "#/definitions/result"
},
"implementation-status": {
"$ref": "#/definitions/implementation-status"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Objectives of Assessment",
"description": "Identifies the controls and control being assessed and their control objectives. In the assessment plans, these are the planned controls and objectives. In the assessment results, these are the actual controls and objectives, and reflects any changes from the plan.",
"$id": "#/definitions/objectives",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"control-group": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/controls"
}
},
"control-objective-group": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/control-objectives"
}
},
"objective": {
"$ref": "#/definitions/objective"
},
"method-definitions": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/method"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"control-group"
],
"additionalProperties": false
}
{
"title": "Objective",
"description": "Describes an individual observation.",
"$id": "#/definitions/observation",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"observation-methods": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/observation-method"
}
},
"observation-types": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/observation-type"
}
},
"assessors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/assessor"
}
},
"subject-references": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/subject-reference"
}
},
"origins": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/origin"
}
},
"evidence-group": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/relevant-evidence"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"description",
"observation-methods"
],
"additionalProperties": false
}
{
"title": "Observation Method",
"description": "Identifies how the observation was made.",
"$id": "#/definitions/observation-method",
"type": "string"
}
{
"title": "Observation Type",
"description": "Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.",
"$id": "#/definitions/observation-type",
"type": "string"
}
{
"title": "Origin",
"description": "Identifies the tool or activity that resulted in the observation.",
"$id": "#/definitions/origin",
"type": "object",
"properties": {
"uuid-ref": {
"title": "UUID Reference",
"description": "A pointer to a relevant item, using it's UUID.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string",
"enum": [
"tool",
"test-method",
"task",
"included-activity",
"other"
]
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"uuid-ref",
"type"
],
"additionalProperties": false
}
{
"title": "Assessment Origination",
"description": "Identifies the origination of network-based assessment activities, such as the IP address of the tool performing assessment scans.",
"$id": "#/definitions/origination",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
}
},
"required": [
"title"
],
"additionalProperties": false
}
{
"title": "OSCAL version",
"description": "OSCAL model version.",
"$id": "#/definitions/oscal-version",
"type": "string"
}
{
"title": "Part",
"description": "A partition or component of a control or part",
"$id": "#/definitions/part",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"prose": {
"$ref": "#/definitions/prose"
},
"parts": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/part"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Party (organization or person)",
"description": "A responsible entity, either singular (an organization or person) or collective (multiple persons)",
"$id": "#/definitions/party",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Party Type",
"description": "A category describing the kind of party the object describes.",
"type": "string",
"enum": [
"person",
"organization"
]
},
"party-name": {
"$ref": "#/definitions/party-name"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"external-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/external-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/address"
}
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"member-of-organizations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/member-of-organization"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"type",
"party-name"
],
"additionalProperties": false
}
{
"title": "Party Name",
"description": "The full (legal) name of the party.",
"$id": "#/definitions/party-name",
"type": "string"
}
{
"title": "Party Reference",
"description": "References a party defined in metadata.",
"$id": "#/definitions/party-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Telephone",
"description": "Contact number by telephone",
"$id": "#/definitions/phone",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of phone number.",
"type": "string"
},
"number": {
"type": "string"
}
},
"required": [
"number"
],
"additionalProperties": false
}
{
"title": "Port Range",
"description": "Where applicable this is the IPv4 port range on which the service operates.",
"$id": "#/definitions/port-range",
"type": "object",
"properties": {
"start": {
"title": "Start",
"description": "Indicates the starting port number in a port range",
"type": "integer",
"multipleOf": 1,
"minimum": 0
},
"end": {
"title": "End",
"description": "Indicates the ending port number in a port range",
"type": "integer",
"multipleOf": 1,
"minimum": 0
},
"transport": {
"title": "Transport",
"description": "Indicates the transport type.",
"type": "string",
"enum": [
"TCP",
"UDP"
]
}
},
"additionalProperties": false
}
{
"title": "Postal Code",
"description": "Postal or ZIP code for mailing address",
"$id": "#/definitions/postal-code",
"type": "string"
}
{
"title": "Property",
"description": "A value with a name, attributed to the containing control, part, or group.",
"$id": "#/definitions/prop",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"name"
],
"additionalProperties": false
}
{
"title": "Prose",
"description": "Prose permits multiple paragraphs, lists, tables etc.",
"$id": "#/definitions/prose",
"type": "string"
}
{
"title": "Protocol",
"description": "Information about the protocol used to provide a service.",
"$id": "#/definitions/protocol",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"name": {
"description": "The short name of the protocol (e.g., TLS).",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"port-ranges": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/port-range"
}
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Publication Timestamp",
"description": "The date and time this document was published.",
"$id": "#/definitions/published",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Purpose",
"description": "Describes the purpose for the service within the system.",
"$id": "#/definitions/purpose",
"type": "string"
}
{
"title": "Relevant Evidence",
"description": "Links this observation to relevant evidence.",
"$id": "#/definitions/relevant-evidence",
"type": "object",
"properties": {
"href": {
"description": "Links to evidence as URI. May use a URI fragment to point to a resource in the back-matter.",
"type": "string",
"format": "uri-reference"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"description"
],
"additionalProperties": false
}
{
"title": "Remarks",
"description": "Additional commentary on the parent item.",
"$id": "#/definitions/remarks",
"type": "string"
}
{
"title": "Remediation",
"description": "Describes either recommendation or an actual plan for remediating the risk.",
"$id": "#/definitions/remediation",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"origins": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/remediation-origin"
}
},
"requirements": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/required"
}
},
"schedule": {
"$ref": "#/definitions/schedule"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"title",
"description"
],
"additionalProperties": false
}
{
"title": "Remediation Origin",
"description": "Points to the source of the remediation recommendation or plan",
"$id": "#/definitions/remediation-origin",
"type": "object",
"properties": {
"uuid-ref": {
"title": "UUID Reference",
"description": "A pointer to a relevant item, using it's UUID.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"uuid-ref"
],
"additionalProperties": false
}
{
"title": "Remediation Tracking",
"description": "A log of events and actions taken towards the remediation of the associated risk.",
"$id": "#/definitions/remediation-tracking",
"type": "object",
"properties": {
"tracking-entries": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/tracking-entry"
}
}
},
"required": [
"tracking-entries"
],
"additionalProperties": false
}
{
"title": "Required",
"description": "Identifies something required to achieve remediation.",
"$id": "#/definitions/required",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"subject-references": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/subject-reference"
}
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Resource",
"description": "A resource associated with the present document, which may be a pointer to other data or a citation.",
"$id": "#/definitions/resource",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"citation": {
"$ref": "#/definitions/citation"
},
"rlinks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/rlink"
}
},
"attachments": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/base64"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Responsible Party",
"description": "A reference to a set of organizations or persons that have responsibility for performing a referenced role relative to the parent context.",
"$id": "#/definitions/responsible-party",
"type": "object",
"properties": {
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"party-uuids"
],
"additionalProperties": false
}
{
"title": "Responsible Role",
"description": "A reference to one or more roles with responsibility for performing a function relative to the control.",
"$id": "#/definitions/responsible-role",
"type": "object",
"properties": {
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"party-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Result",
"description": "A brief indication as to whether the objective is satisfied or not.",
"$id": "#/definitions/result",
"type": "object",
"properties": {
"system": {
"title": "Assessment System",
"description": "Identifies the framework or rules to which this value conforms.",
"type": "string",
"format": "uri"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE"
],
"additionalProperties": false
}
{
"title": "Assessment Results",
"description": "Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.",
"$id": "#/definitions/results",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"start": {
"$ref": "#/definitions/start"
},
"end": {
"$ref": "#/definitions/end"
},
"findings": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/finding"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"title",
"description",
"start",
"end",
"findings"
],
"additionalProperties": false
}
{
"title": "Revision History Entry",
"description": "An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).",
"$id": "#/definitions/revision",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Identified Risk",
"description": "An identified risk.",
"$id": "#/definitions/risk",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"risk-metrics": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/risk-metric"
}
},
"risk-statement": {
"$ref": "#/definitions/risk-statement"
},
"mitigating-factors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/mitigating-factor"
}
},
"remediation-group": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/remediation"
}
},
"risk-status": {
"$ref": "#/definitions/risk-status"
},
"closure-actions": {
"$ref": "#/definitions/closure-actions"
},
"remediation-tracking": {
"$ref": "#/definitions/remediation-tracking"
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
}
},
"required": [
"uuid",
"title",
"description",
"risk-statement",
"risk-status"
],
"additionalProperties": false
}
{
"title": "Risk Metric",
"description": "An individual risk metric from a specified system.",
"$id": "#/definitions/risk-metric",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"system": {
"title": "System",
"description": "Specifies the system represented by this risk metric.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"name"
],
"additionalProperties": false
}
{
"title": "Risk Statement",
"description": "Describes the risk.",
"$id": "#/definitions/risk-statement",
"type": "string"
}
{
"title": "Status",
"description": "Describes the status of the associated risk.",
"$id": "#/definitions/risk-status",
"type": "string"
}
{
"title": "Resource link",
"description": "A pointer to an external copy of a document with optional hash for verification",
"$id": "#/definitions/rlink",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"hashes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/hash"
}
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Role",
"description": "Defining a role to be assigned to a party",
"$id": "#/definitions/role",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"id",
"title"
],
"additionalProperties": false
}
{
"title": "Role Identifier Reference",
"description": "A reference to the roles served by the user.",
"$id": "#/definitions/role-id",
"type": "string"
}
{
"title": "Schedule",
"description": "Identifies the schedule for the assessment activities.",
"$id": "#/definitions/schedule",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"tasks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/task"
}
}
},
"required": [
"tasks"
],
"additionalProperties": false
}
{
"title": "Sequence Number",
"description": "Identifies the sequence number for the test step.",
"$id": "#/definitions/sequence",
"type": "integer"
}
{
"title": "short-name",
"description": "A common name, short name or acronym",
"$id": "#/definitions/short-name",
"type": "string"
}
{
"title": "Start",
"description": "Identifies the start of a task.",
"$id": "#/definitions/start",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "State",
"description": "State, province or analogous geographical region for mailing address",
"$id": "#/definitions/state",
"type": "string"
}
{
"title": "Status",
"description": "Describes the operational status of the system.",
"$id": "#/definitions/status",
"type": "object",
"properties": {
"state": {
"title": "State",
"description": "The current operating status.",
"type": "string",
"enum": [
"operational",
"under-development",
"under-major-modification",
"disposition",
"other"
]
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"state"
],
"additionalProperties": false
}
{
"title": "Identifies the Subject",
"description": "A pointer to a resource based on its ID. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.",
"$id": "#/definitions/subject-reference",
"type": "object",
"properties": {
"uuid-ref": {
"title": "UUID Reference",
"description": "A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"props": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
}
},
"required": [
"uuid-ref",
"type"
],
"additionalProperties": false
}
{
"title": "Task",
"description": "Identifies an individual task.",
"$id": "#/definitions/task",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"start": {
"$ref": "#/definitions/start"
},
"end": {
"$ref": "#/definitions/end"
},
"activity-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/activity-uuid"
}
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Test Method",
"description": "Identifies an individual test method.",
"$id": "#/definitions/test-method",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"test-steps": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/test-step"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Test Steps",
"description": "Identifies an individual test step.",
"$id": "#/definitions/test-step",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"sequence": {
"$ref": "#/definitions/sequence"
},
"description": {
"$ref": "#/definitions/description"
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Text",
"description": "A line of textual content whose semantic is determined by the context of use.",
"$id": "#/definitions/text",
"type": "string"
}
{
"title": "Threat ID",
"description": "A pointer, by ID, to an externally-defined threat.",
"$id": "#/definitions/threat-id",
"type": "object",
"properties": {
"system": {
"title": "Threat Type Identification System",
"description": "Specifies the source of the threat information.",
"type": "string",
"format": "uri"
},
"uri": {
"title": "URI",
"description": "An optional location for the threat data, from which this ID originates.",
"type": "string",
"format": "uri"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"system"
],
"additionalProperties": false
}
{
"title": "Title",
"description": "A title for display and navigation",
"$id": "#/definitions/title",
"type": "string"
}
{
"title": "Assessment Assets",
"description": "The technology tools used by the assessor to perform the assessment, such as vulnerability scanners. In the assessment plan these are the intended tools. In the assessment results, these are the actual tools used, including any differences from the assessment plan.",
"$id": "#/definitions/tools",
"type": "object",
"properties": {
"components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/component"
},
{
"not": {
"type": "string"
}
}
]
}
}
},
"additionalProperties": false
}
{
"title": "Tracking Entry",
"description": "Individual remediation tracking entry, which logs an event or action taken towards the remediation of the associated risk.",
"$id": "#/definitions/tracking-entry",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"date-time-stamp": {
"$ref": "#/definitions/date-time-stamp"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"date-time-stamp",
"description"
],
"additionalProperties": false
}
{
"title": "URL",
"description": "URL for web site or Internet presence",
"$id": "#/definitions/url",
"type": "string",
"format": "uri"
}
{
"title": "System User Class",
"description": "A type of user that interacts with the system based on an associated role.",
"$id": "#/definitions/user",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"authorized-privileges": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/authorized-privilege"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"role-ids"
],
"additionalProperties": false
}
{
"title": "Document version",
"description": "The version of the document content.",
"$id": "#/definitions/version",
"type": "string"
}
OSCAL Control Catalog Format
{
"title": "Address line",
"description": "A single line of an address.",
"$id": "#/definitions/addr-line",
"type": "string"
}
{
"title": "Address",
"description": "A postal address.",
"$id": "#/definitions/address",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of address.",
"type": "string"
},
"postal-address": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/addr-line"
}
},
"city": {
"$ref": "#/definitions/city"
},
"state": {
"$ref": "#/definitions/state"
},
"postal-code": {
"$ref": "#/definitions/postal-code"
},
"country": {
"$ref": "#/definitions/country"
}
},
"additionalProperties": false
}
{
"title": "Annotation",
"description": "A name/value pair with optional explanatory remarks.",
"$id": "#/definitions/annotation",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"value": {
"title": "Value",
"description": "Indicates the value of the characteristic.",
"type": "string"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Back matter",
"description": "A collection of citations and resource references.",
"$id": "#/definitions/back-matter",
"type": "object",
"properties": {
"resources": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/resource"
}
}
},
"additionalProperties": false
}
{
"title": "Base64",
"description": "",
"$id": "#/definitions/base64",
"type": "object",
"properties": {
"filename": {
"title": "File Name",
"description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value"
],
"additionalProperties": false
}
{
"title": "Bibliographic Definition",
"description": "A container in which a set of bibliographic information can included. The model of this information is undefined by OSCAL.",
"$id": "#/definitions/biblio",
"type": "object",
"additionalProperties": false
}
{
"title": "Catalog",
"description": "A collection of controls.",
"$id": "#/definitions/catalog",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"metadata": {
"$ref": "#/definitions/metadata"
},
"parameters": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/param"
}
},
"controls": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/control"
}
},
"groups": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/group"
}
},
"back-matter": {
"$ref": "#/definitions/back-matter"
}
},
"required": [
"uuid",
"metadata"
],
"additionalProperties": false
}
{
"title": "Choice",
"description": "A value selection among several such options",
"$id": "#/definitions/choice",
"type": "string"
}
{
"title": "Citation",
"description": "A citation consisting of end note text and optional structured bibliographic data.",
"$id": "#/definitions/citation",
"type": "object",
"properties": {
"text": {
"$ref": "#/definitions/text"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"biblio": {
"$ref": "#/definitions/biblio"
}
},
"required": [
"text"
],
"additionalProperties": false
}
{
"title": "City",
"description": "City, town or geographical region for mailing address",
"$id": "#/definitions/city",
"type": "string"
}
{
"title": "Constraint",
"description": "A formal or informal expression of a constraint or test",
"$id": "#/definitions/constraint",
"type": "object",
"properties": {
"test": {
"title": "Constraint test",
"description": "A formal (executable) expression of a constraint",
"type": "string"
},
"detail": {
"type": "string"
}
},
"required": [
"detail"
],
"additionalProperties": false
}
{
"title": "Control",
"description": "A structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.",
"$id": "#/definitions/control",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"parameters": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/param"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"parts": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/part"
}
},
"controls": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/control"
}
}
},
"required": [
"id",
"title"
],
"additionalProperties": false
}
{
"title": "Country",
"description": "Country for mailing address",
"$id": "#/definitions/country",
"type": "string"
}
{
"title": "Description",
"description": "A short textual description",
"$id": "#/definitions/desc",
"type": "string"
}
{
"title": "Document Identifier",
"description": "A document identifier qualified by an identifier type.",
"$id": "#/definitions/doc-id",
"type": "object",
"properties": {
"type": {
"description": "Qualifies the kind of document identifier.",
"type": "string"
},
"identifier": {
"type": "string"
}
},
"required": [
"identifier",
"type"
],
"additionalProperties": false
}
{
"title": "Email",
"description": "Email address",
"$id": "#/definitions/email",
"type": "string",
"format": "email",
"pattern": "^.+@.+"
}
{
"title": "Personal Identifier",
"description": "An identifier for a person (such as an ORCID) using a designated scheme.",
"$id": "#/definitions/external-id",
"type": "object",
"properties": {
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"id": {
"type": "string"
}
},
"required": [
"id",
"type"
],
"additionalProperties": false
}
{
"title": "Control Group",
"description": "A group of controls, or of groups of controls.",
"$id": "#/definitions/group",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"parameters": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/param"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"parts": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/part"
}
},
"groups": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/group"
}
},
"controls": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/control"
}
}
},
"required": [
"title"
],
"additionalProperties": false
}
{
"title": "Guideline",
"description": "A prose statement that provides a recommendation for the use of a parameter.",
"$id": "#/definitions/guideline",
"type": "object",
"properties": {
"prose": {
"$ref": "#/definitions/prose"
}
},
"additionalProperties": false
}
{
"title": "Hash",
"description": "A representation of a cryptographic digest generated over a resource using a hash algorithm.",
"$id": "#/definitions/hash",
"type": "object",
"properties": {
"algorithm": {
"title": "Hash algorithm",
"description": "Method by which a hash is derived",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"algorithm"
],
"additionalProperties": false
}
{
"title": "Parameter label",
"description": "A placeholder for a missing value, in display.",
"$id": "#/definitions/label",
"type": "string"
}
{
"title": "Last modified timestamp",
"description": "Date and time of last modification.",
"$id": "#/definitions/last-modified",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Link",
"description": "A reference to a local or remote resource",
"$id": "#/definitions/link",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"rel": {
"title": "Relation",
"description": "Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.",
"type": "string"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"text": {
"type": "string"
}
},
"required": [
"text",
"href"
],
"additionalProperties": false
}
{
"title": "Location",
"description": "A location, with associated metadata that can be referenced.",
"$id": "#/definitions/location",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"address": {
"$ref": "#/definitions/address"
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"URLs": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/url"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"address"
],
"additionalProperties": false
}
{
"title": "Location Reference",
"description": "References a location defined in metadata.",
"$id": "#/definitions/location-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Organizational Affiliation",
"description": "Identifies that the containing object is a member of the organization associated with the provided UUID.",
"$id": "#/definitions/member-of-organization",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Publication metadata",
"description": "Provides information about the publication and availability of the containing document.",
"$id": "#/definitions/metadata",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"revision-history": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/revision"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"roles": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role"
}
},
"locations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location"
}
},
"parties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"title",
"last-modified",
"version",
"oscal-version"
],
"additionalProperties": false
}
{
"title": "OSCAL version",
"description": "OSCAL model version.",
"$id": "#/definitions/oscal-version",
"type": "string"
}
{
"title": "Parameter",
"description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.",
"$id": "#/definitions/param",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"depends-on": {
"title": "Depends on",
"description": "Another parameter invoking this one",
"type": "string"
},
"label": {
"$ref": "#/definitions/label"
},
"descriptions": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/usage"
}
},
"constraints": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/constraint"
}
},
"guidance": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/guideline"
}
},
"value": {
"$ref": "#/definitions/value"
},
"select": {
"$ref": "#/definitions/select"
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
}
},
"required": [
"id"
],
"additionalProperties": false
}
{
"title": "Part",
"description": "A partition or component of a control or part",
"$id": "#/definitions/part",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"prose": {
"$ref": "#/definitions/prose"
},
"parts": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/part"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Party (organization or person)",
"description": "A responsible entity, either singular (an organization or person) or collective (multiple persons)",
"$id": "#/definitions/party",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Party Type",
"description": "A category describing the kind of party the object describes.",
"type": "string",
"enum": [
"person",
"organization"
]
},
"party-name": {
"$ref": "#/definitions/party-name"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"external-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/external-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/address"
}
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"member-of-organizations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/member-of-organization"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"type",
"party-name"
],
"additionalProperties": false
}
{
"title": "Party Name",
"description": "The full (legal) name of the party.",
"$id": "#/definitions/party-name",
"type": "string"
}
{
"title": "Party Reference",
"description": "References a party defined in metadata.",
"$id": "#/definitions/party-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Telephone",
"description": "Contact number by telephone",
"$id": "#/definitions/phone",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of phone number.",
"type": "string"
},
"number": {
"type": "string"
}
},
"required": [
"number"
],
"additionalProperties": false
}
{
"title": "Postal Code",
"description": "Postal or ZIP code for mailing address",
"$id": "#/definitions/postal-code",
"type": "string"
}
{
"title": "Property",
"description": "A value with a name, attributed to the containing control, part, or group.",
"$id": "#/definitions/prop",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"name"
],
"additionalProperties": false
}
{
"title": "Prose",
"description": "Prose permits multiple paragraphs, lists, tables etc.",
"$id": "#/definitions/prose",
"type": "string"
}
{
"title": "Publication Timestamp",
"description": "The date and time this document was published.",
"$id": "#/definitions/published",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Remarks",
"description": "Additional commentary on the parent item.",
"$id": "#/definitions/remarks",
"type": "string"
}
{
"title": "Resource",
"description": "A resource associated with the present document, which may be a pointer to other data or a citation.",
"$id": "#/definitions/resource",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"citation": {
"$ref": "#/definitions/citation"
},
"rlinks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/rlink"
}
},
"attachments": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/base64"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Responsible Party",
"description": "A reference to a set of organizations or persons that have responsibility for performing a referenced role relative to the parent context.",
"$id": "#/definitions/responsible-party",
"type": "object",
"properties": {
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"party-uuids"
],
"additionalProperties": false
}
{
"title": "Revision History Entry",
"description": "An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).",
"$id": "#/definitions/revision",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Resource link",
"description": "A pointer to an external copy of a document with optional hash for verification",
"$id": "#/definitions/rlink",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"hashes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/hash"
}
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Role",
"description": "Defining a role to be assigned to a party",
"$id": "#/definitions/role",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"id",
"title"
],
"additionalProperties": false
}
{
"title": "Selection",
"description": "Presenting a choice among alternatives",
"$id": "#/definitions/select",
"type": "object",
"properties": {
"how-many": {
"title": "Cardinality",
"description": "When selecting, a requirement such as one or more",
"type": "string"
},
"alternatives": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/choice"
}
}
},
"additionalProperties": false
}
{
"title": "short-name",
"description": "A common name, short name or acronym",
"$id": "#/definitions/short-name",
"type": "string"
}
{
"title": "State",
"description": "State, province or analogous geographical region for mailing address",
"$id": "#/definitions/state",
"type": "string"
}
{
"title": "Text",
"description": "A line of textual content whose semantic is determined by the context of use.",
"$id": "#/definitions/text",
"type": "string"
}
{
"title": "Title",
"description": "A title for display and navigation",
"$id": "#/definitions/title",
"type": "string"
}
{
"title": "URL",
"description": "URL for web site or Internet presence",
"$id": "#/definitions/url",
"type": "string",
"format": "uri"
}
{
"title": "Parameter description",
"description": "Indicates and explains the purpose and use of a parameter",
"$id": "#/definitions/usage",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"summary": {
"type": "string"
}
},
"required": [
"summary"
],
"additionalProperties": false
}
{
"title": "Value constraint",
"description": "Indicates a permissible value for a parameter or property",
"$id": "#/definitions/value",
"type": "string"
}
{
"title": "Document version",
"description": "The version of the document content.",
"$id": "#/definitions/version",
"type": "string"
}
OSCAL Implementation Component Format
{
"title": "Address line",
"description": "A single line of an address.",
"$id": "#/definitions/addr-line",
"type": "string"
}
{
"title": "Address",
"description": "A postal address.",
"$id": "#/definitions/address",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of address.",
"type": "string"
},
"postal-address": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/addr-line"
}
},
"city": {
"$ref": "#/definitions/city"
},
"state": {
"$ref": "#/definitions/state"
},
"postal-code": {
"$ref": "#/definitions/postal-code"
},
"country": {
"$ref": "#/definitions/country"
}
},
"additionalProperties": false
}
{
"title": "Annotation",
"description": "A name/value pair with optional explanatory remarks.",
"$id": "#/definitions/annotation",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"value": {
"title": "Value",
"description": "Indicates the value of the characteristic.",
"type": "string"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Back matter",
"description": "A collection of citations and resource references.",
"$id": "#/definitions/back-matter",
"type": "object",
"properties": {
"resources": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/resource"
}
}
},
"additionalProperties": false
}
{
"title": "Base64",
"description": "",
"$id": "#/definitions/base64",
"type": "object",
"properties": {
"filename": {
"title": "File Name",
"description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value"
],
"additionalProperties": false
}
{
"title": "Bibliographic Definition",
"description": "A container in which a set of bibliographic information can included. The model of this information is undefined by OSCAL.",
"$id": "#/definitions/biblio",
"type": "object",
"additionalProperties": false
}
{
"title": "Capability",
"description": "A grouping of other components and/or capabilities.",
"$id": "#/definitions/capability",
"type": "object",
"properties": {
"name": {
"title": "Capability Name",
"description": "The capability's human-readable name.",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"incorporates-components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/incorporates-component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"control-implementations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/control-implementation"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name",
"description"
],
"additionalProperties": false
}
{
"title": "Citation",
"description": "A citation consisting of end note text and optional structured bibliographic data.",
"$id": "#/definitions/citation",
"type": "object",
"properties": {
"text": {
"$ref": "#/definitions/text"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"biblio": {
"$ref": "#/definitions/biblio"
}
},
"required": [
"text"
],
"additionalProperties": false
}
{
"title": "City",
"description": "City, town or geographical region for mailing address",
"$id": "#/definitions/city",
"type": "string"
}
{
"title": "Component",
"description": "A defined component that can be part of an implemented system.",
"$id": "#/definitions/component",
"type": "object",
"properties": {
"name": {
"title": "Component Name",
"description": "The component's short, human-readable name.",
"type": "string"
},
"component-type": {
"title": "Component Type",
"description": "A category describing the purpose of the component.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"control-implementations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/control-implementation"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name",
"component-type",
"title",
"description"
],
"additionalProperties": false
}
{
"title": "Component Definition",
"description": "A collection of component descriptions, which may optionally be grouped by capability.",
"$id": "#/definitions/component-definition",
"type": "object",
"properties": {
"metadata": {
"$ref": "#/definitions/metadata"
},
"import-component-definitions": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/import-component-definition"
}
},
"components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"capabilities": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/capability"
},
{
"not": {
"type": "string"
}
}
]
}
},
"back-matter": {
"$ref": "#/definitions/back-matter"
}
},
"required": [
"metadata"
],
"additionalProperties": false
}
{
"title": "Control Implementation",
"description": "Defines how the component or capability supports a set of controls.",
"$id": "#/definitions/control-implementation",
"type": "object",
"properties": {
"uuid": {
"title": "Control Implementation Set Identifier",
"description": "A unique identifier for the set of implemented controls.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"source": {
"description": "A URL reference to the source catalog or profile for which this component is implementing controls for.",
"type": "string",
"format": "uri-reference"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"implemented-requirements": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/implemented-requirement"
}
}
},
"required": [
"uuid",
"source",
"description",
"implemented-requirements"
],
"additionalProperties": false
}
{
"title": "Country",
"description": "Country for mailing address",
"$id": "#/definitions/country",
"type": "string"
}
{
"title": "Description",
"description": "A short textual description",
"$id": "#/definitions/desc",
"type": "string"
}
{
"title": "Description",
"description": "A description supporting the parent item.",
"$id": "#/definitions/description",
"type": "string"
}
{
"title": "Document Identifier",
"description": "A document identifier qualified by an identifier type.",
"$id": "#/definitions/doc-id",
"type": "object",
"properties": {
"type": {
"description": "Qualifies the kind of document identifier.",
"type": "string"
},
"identifier": {
"type": "string"
}
},
"required": [
"identifier",
"type"
],
"additionalProperties": false
}
{
"title": "Email",
"description": "Email address",
"$id": "#/definitions/email",
"type": "string",
"format": "email",
"pattern": "^.+@.+"
}
{
"title": "Personal Identifier",
"description": "An identifier for a person (such as an ORCID) using a designated scheme.",
"$id": "#/definitions/external-id",
"type": "object",
"properties": {
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"id": {
"type": "string"
}
},
"required": [
"id",
"type"
],
"additionalProperties": false
}
{
"title": "Hash",
"description": "A representation of a cryptographic digest generated over a resource using a hash algorithm.",
"$id": "#/definitions/hash",
"type": "object",
"properties": {
"algorithm": {
"title": "Hash algorithm",
"description": "Method by which a hash is derived",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"algorithm"
],
"additionalProperties": false
}
{
"title": "Control-based Requirement",
"description": "Describes how the component implements an individual control.",
"$id": "#/definitions/implemented-requirement",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"control-id": {
"title": "Control Identifier Reference",
"description": "A reference to a control identifier.",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-roles": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-role"
},
{
"not": {
"type": "string"
}
}
]
}
},
"set-parameters": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/set-parameter"
},
{
"not": {
"type": "string"
}
}
]
}
},
"statements": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/statement"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Import Component Definition",
"description": "Loads a component definition from another resource.",
"$id": "#/definitions/import-component-definition",
"type": "object",
"properties": {
"href": {
"title": "Hyperlink Reference",
"description": "A link to a resource that defines a set of components and/or capabilities to import into this collection.",
"type": "string",
"format": "uri-reference"
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Incorporates Component",
"description": "TBD",
"$id": "#/definitions/incorporates-component",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
}
},
"required": [
"description"
],
"additionalProperties": false
}
{
"title": "Last modified timestamp",
"description": "Date and time of last modification.",
"$id": "#/definitions/last-modified",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Link",
"description": "A reference to a local or remote resource",
"$id": "#/definitions/link",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"rel": {
"title": "Relation",
"description": "Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.",
"type": "string"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"text": {
"type": "string"
}
},
"required": [
"text",
"href"
],
"additionalProperties": false
}
{
"title": "Location",
"description": "A location, with associated metadata that can be referenced.",
"$id": "#/definitions/location",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"address": {
"$ref": "#/definitions/address"
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"URLs": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/url"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"address"
],
"additionalProperties": false
}
{
"title": "Location Reference",
"description": "References a location defined in metadata.",
"$id": "#/definitions/location-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Organizational Affiliation",
"description": "Identifies that the containing object is a member of the organization associated with the provided UUID.",
"$id": "#/definitions/member-of-organization",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Publication metadata",
"description": "Provides information about the publication and availability of the containing document.",
"$id": "#/definitions/metadata",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"revision-history": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/revision"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"roles": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role"
}
},
"locations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location"
}
},
"parties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"title",
"last-modified",
"version",
"oscal-version"
],
"additionalProperties": false
}
{
"title": "OSCAL version",
"description": "OSCAL model version.",
"$id": "#/definitions/oscal-version",
"type": "string"
}
{
"title": "Party (organization or person)",
"description": "A responsible entity, either singular (an organization or person) or collective (multiple persons)",
"$id": "#/definitions/party",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Party Type",
"description": "A category describing the kind of party the object describes.",
"type": "string",
"enum": [
"person",
"organization"
]
},
"party-name": {
"$ref": "#/definitions/party-name"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"external-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/external-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/address"
}
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"member-of-organizations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/member-of-organization"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"type",
"party-name"
],
"additionalProperties": false
}
{
"title": "Party Name",
"description": "The full (legal) name of the party.",
"$id": "#/definitions/party-name",
"type": "string"
}
{
"title": "Party Reference",
"description": "References a party defined in metadata.",
"$id": "#/definitions/party-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Telephone",
"description": "Contact number by telephone",
"$id": "#/definitions/phone",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of phone number.",
"type": "string"
},
"number": {
"type": "string"
}
},
"required": [
"number"
],
"additionalProperties": false
}
{
"title": "Postal Code",
"description": "Postal or ZIP code for mailing address",
"$id": "#/definitions/postal-code",
"type": "string"
}
{
"title": "Property",
"description": "A value with a name, attributed to the containing control, part, or group.",
"$id": "#/definitions/prop",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"name"
],
"additionalProperties": false
}
{
"title": "Publication Timestamp",
"description": "The date and time this document was published.",
"$id": "#/definitions/published",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Remarks",
"description": "Additional commentary on the parent item.",
"$id": "#/definitions/remarks",
"type": "string"
}
{
"title": "Resource",
"description": "A resource associated with the present document, which may be a pointer to other data or a citation.",
"$id": "#/definitions/resource",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"citation": {
"$ref": "#/definitions/citation"
},
"rlinks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/rlink"
}
},
"attachments": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/base64"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Responsible Party",
"description": "A reference to a set of organizations or persons that have responsibility for performing a referenced role relative to the parent context.",
"$id": "#/definitions/responsible-party",
"type": "object",
"properties": {
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"party-uuids"
],
"additionalProperties": false
}
{
"title": "Responsible Role",
"description": "A reference to one or more roles with responsibility for performing a function relative to the control.",
"$id": "#/definitions/responsible-role",
"type": "object",
"properties": {
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"party-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Revision History Entry",
"description": "An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).",
"$id": "#/definitions/revision",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Resource link",
"description": "A pointer to an external copy of a document with optional hash for verification",
"$id": "#/definitions/rlink",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"hashes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/hash"
}
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Role",
"description": "Defining a role to be assigned to a party",
"$id": "#/definitions/role",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"id",
"title"
],
"additionalProperties": false
}
{
"title": "Set Parameter Value",
"description": "Identifies the parameter that will be filled in by the enclosed value element.",
"$id": "#/definitions/set-parameter",
"type": "object",
"properties": {
"value": {
"$ref": "#/definitions/value"
}
},
"required": [
"value"
],
"additionalProperties": false
}
{
"title": "short-name",
"description": "A common name, short name or acronym",
"$id": "#/definitions/short-name",
"type": "string"
}
{
"title": "State",
"description": "State, province or analogous geographical region for mailing address",
"$id": "#/definitions/state",
"type": "string"
}
{
"title": "Specific Statement",
"description": "Identifies which statements within a control are addressed.",
"$id": "#/definitions/statement",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"anyOf": [
{
"$ref": "#/definitions/annotation"
},
{
"type": "array",
"items": {
"$ref": "#/definitions/annotation"
},
"minItems": 2
}
]
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-roles": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-role"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Text",
"description": "A line of textual content whose semantic is determined by the context of use.",
"$id": "#/definitions/text",
"type": "string"
}
{
"title": "Title",
"description": "A title for display and navigation",
"$id": "#/definitions/title",
"type": "string"
}
{
"title": "URL",
"description": "URL for web site or Internet presence",
"$id": "#/definitions/url",
"type": "string",
"format": "uri"
}
{
"title": "Value",
"description": "The phrase or string that fills-in the parameter and completes the requirement statement.",
"$id": "#/definitions/value",
"type": "string"
}
{
"title": "Document version",
"description": "The version of the document content.",
"$id": "#/definitions/version",
"type": "string"
}
OSCAL Plan of Action and Milestones (POA&M) Format
{
"title": "Activity ID",
"description": "Links the task to a defined activity.",
"$id": "#/definitions/activity-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Address line",
"description": "A single line of an address.",
"$id": "#/definitions/addr-line",
"type": "string"
}
{
"title": "Address",
"description": "A postal address.",
"$id": "#/definitions/address",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of address.",
"type": "string"
},
"postal-address": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/addr-line"
}
},
"city": {
"$ref": "#/definitions/city"
},
"state": {
"$ref": "#/definitions/state"
},
"postal-code": {
"$ref": "#/definitions/postal-code"
},
"country": {
"$ref": "#/definitions/country"
}
},
"additionalProperties": false
}
{
"title": "Annotation",
"description": "A name/value pair with optional explanatory remarks.",
"$id": "#/definitions/annotation",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"value": {
"title": "Value",
"description": "Indicates the value of the characteristic.",
"type": "string"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Assessor",
"description": "Identifies an individual who gathered the evidence resulting in the observation or risk identification.",
"$id": "#/definitions/assessor",
"type": "object",
"properties": {
"party-uuid": {
"title": "Party UUID",
"description": "The UUID of the assessor who collected the evidence or made the observation.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"party-uuid"
],
"additionalProperties": false
}
{
"title": "Back matter",
"description": "A collection of citations and resource references.",
"$id": "#/definitions/back-matter",
"type": "object",
"properties": {
"resources": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/resource"
}
}
},
"additionalProperties": false
}
{
"title": "Base64",
"description": "",
"$id": "#/definitions/base64",
"type": "object",
"properties": {
"filename": {
"title": "File Name",
"description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value"
],
"additionalProperties": false
}
{
"title": "Bibliographic Definition",
"description": "A container in which a set of bibliographic information can included. The model of this information is undefined by OSCAL.",
"$id": "#/definitions/biblio",
"type": "object",
"additionalProperties": false
}
{
"title": "Citation",
"description": "A citation consisting of end note text and optional structured bibliographic data.",
"$id": "#/definitions/citation",
"type": "object",
"properties": {
"text": {
"$ref": "#/definitions/text"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"biblio": {
"$ref": "#/definitions/biblio"
}
},
"required": [
"text"
],
"additionalProperties": false
}
{
"title": "City",
"description": "City, town or geographical region for mailing address",
"$id": "#/definitions/city",
"type": "string"
}
{
"title": "Closer Actions",
"description": "Describes the actions taken that resulted in the closure of the identified risk.",
"$id": "#/definitions/closure-actions",
"type": "string"
}
{
"title": "Compare To",
"description": "Typically used in when copying content from the assessment plan to the assessment results. The uuid should be changed in the assessment results file, and the compare-to field should be set to the original assessment plan uuid value. This enables the plan and results to be compared later to identify what changed between the two.",
"$id": "#/definitions/compare-to",
"type": "string"
}
{
"title": "Component",
"description": "A defined component that can be part of an implemented system.",
"$id": "#/definitions/component",
"type": "object",
"properties": {
"component-type": {
"title": "Component Type",
"description": "A category describing the purpose of the component.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"purpose": {
"$ref": "#/definitions/purpose"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"status": {
"$ref": "#/definitions/status"
},
"responsible-roles": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-role"
},
{
"not": {
"type": "string"
}
}
]
}
},
"protocols": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/protocol"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"component-type",
"title",
"description",
"status"
],
"additionalProperties": false
}
{
"title": "Country",
"description": "Country for mailing address",
"$id": "#/definitions/country",
"type": "string"
}
{
"title": "Date/Time Stamp",
"description": "Date/time stamp identifying when the information was collected.",
"$id": "#/definitions/date-time-stamp",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Description",
"description": "A short textual description",
"$id": "#/definitions/desc",
"type": "string"
}
{
"title": "Description",
"description": "A description supporting the parent item.",
"$id": "#/definitions/description",
"type": "string"
}
{
"title": "Document Identifier",
"description": "A document identifier qualified by an identifier type.",
"$id": "#/definitions/doc-id",
"type": "object",
"properties": {
"type": {
"description": "Qualifies the kind of document identifier.",
"type": "string"
},
"identifier": {
"type": "string"
}
},
"required": [
"identifier",
"type"
],
"additionalProperties": false
}
{
"title": "Email",
"description": "Email address",
"$id": "#/definitions/email",
"type": "string",
"format": "email",
"pattern": "^.+@.+"
}
{
"title": "End",
"description": "Identifies the end of a task.",
"$id": "#/definitions/end",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Personal Identifier",
"description": "An identifier for a person (such as an ORCID) using a designated scheme.",
"$id": "#/definitions/external-id",
"type": "object",
"properties": {
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"id": {
"type": "string"
}
},
"required": [
"id",
"type"
],
"additionalProperties": false
}
{
"title": "Finding",
"description": "Describes an individual finding.",
"$id": "#/definitions/finding",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"date-time-stamp": {
"$ref": "#/definitions/date-time-stamp"
},
"objective-status": {
"$ref": "#/definitions/objective-status"
},
"implementation-statement-uuid": {
"$ref": "#/definitions/implementation-statement-uuid"
},
"observations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/observation"
}
},
"threat-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/threat-id"
}
},
"risks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/risk"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"title",
"description",
"date-time-stamp"
],
"additionalProperties": false
}
{
"title": "Hash",
"description": "A representation of a cryptographic digest generated over a resource using a hash algorithm.",
"$id": "#/definitions/hash",
"type": "object",
"properties": {
"algorithm": {
"title": "Hash algorithm",
"description": "Method by which a hash is derived",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"algorithm"
],
"additionalProperties": false
}
{
"title": "Implementation Statement UUID",
"description": "Identifies the implementation statement in the SSP to which this finding is related.",
"$id": "#/definitions/implementation-statement-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Implementation Status",
"description": "Identifies the implementation status of the control or control objective.",
"$id": "#/definitions/implementation-status",
"type": "object",
"properties": {
"system": {
"title": "Assessment System",
"description": "Identifies the framework or rules to which this value conforms.",
"type": "string",
"format": "uri"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE"
],
"additionalProperties": false
}
{
"title": "Implemented Component",
"description": "The set of componenets that are implemented in a given system inventory item.",
"$id": "#/definitions/implemented-component",
"type": "object",
"properties": {
"use": {
"title": "Implementation Use Type",
"description": "The type of implementation",
"type": "string"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Import System Security Plan",
"description": "Used by the assessment plan and POA&M to import information about the system.",
"$id": "#/definitions/import-ssp",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Inventory Item",
"description": "A single managed inventory item within the system.",
"$id": "#/definitions/inventory-item",
"type": "object",
"properties": {
"asset-id": {
"title": "Asset Identifier",
"description": "Organizational asset identifier that is unique in the context of the system. This may be a reference to the identifier used in an asset tracking system or a vulnerability scanning tool.",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"implemented-components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/implemented-component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"asset-id",
"description"
],
"additionalProperties": false
}
{
"title": "Last modified timestamp",
"description": "Date and time of last modification.",
"$id": "#/definitions/last-modified",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Link",
"description": "A reference to a local or remote resource",
"$id": "#/definitions/link",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"rel": {
"title": "Relation",
"description": "Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.",
"type": "string"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"text": {
"type": "string"
}
},
"required": [
"text",
"href"
],
"additionalProperties": false
}
{
"title": "Local Definitions",
"description": "Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.",
"$id": "#/definitions/local-definitions",
"type": "object",
"properties": {
"components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"inventory-items": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/inventory-item"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Location",
"description": "A location, with associated metadata that can be referenced.",
"$id": "#/definitions/location",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"address": {
"$ref": "#/definitions/address"
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"URLs": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/url"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"address"
],
"additionalProperties": false
}
{
"title": "Location Reference",
"description": "References a location defined in metadata.",
"$id": "#/definitions/location-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Organizational Affiliation",
"description": "Identifies that the containing object is a member of the organization associated with the provided UUID.",
"$id": "#/definitions/member-of-organization",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Publication metadata",
"description": "Provides information about the publication and availability of the containing document.",
"$id": "#/definitions/metadata",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"revision-history": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/revision"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"roles": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role"
}
},
"locations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location"
}
},
"parties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"title",
"last-modified",
"version",
"oscal-version"
],
"additionalProperties": false
}
{
"title": "Mitigating Factor",
"description": "Describes a mitigating factor with an optional link to an implementation statement in the SSP.",
"$id": "#/definitions/mitigating-factor",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"implementation-uuid": {
"title": "Implementation UUID",
"description": "Points to an implementation statement in the SSP.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"description": {
"$ref": "#/definitions/description"
},
"subject-references": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/subject-reference"
}
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Implementation Status",
"description": "Captures an assessors conclusions as to whether an objective is fully satisfied.",
"$id": "#/definitions/objective-status",
"type": "object",
"properties": {
"objective-id": {
"title": "Objective ID",
"description": "Points to an assessment objective.",
"type": "string"
},
"control-id": {
"title": "Control Identifier Reference",
"description": "A reference to a control identifier.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"result": {
"$ref": "#/definitions/result"
},
"implementation-status": {
"$ref": "#/definitions/implementation-status"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Objective",
"description": "Describes an individual observation.",
"$id": "#/definitions/observation",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"observation-methods": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/observation-method"
}
},
"observation-types": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/observation-type"
}
},
"assessors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/assessor"
}
},
"subject-references": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/subject-reference"
}
},
"origins": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/origin"
}
},
"evidence-group": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/relevant-evidence"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"description",
"observation-methods"
],
"additionalProperties": false
}
{
"title": "Observation Method",
"description": "Identifies how the observation was made.",
"$id": "#/definitions/observation-method",
"type": "string"
}
{
"title": "Observation Type",
"description": "Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.",
"$id": "#/definitions/observation-type",
"type": "string"
}
{
"title": "Origin",
"description": "Identifies the tool or activity that resulted in the observation.",
"$id": "#/definitions/origin",
"type": "object",
"properties": {
"uuid-ref": {
"title": "UUID Reference",
"description": "A pointer to a relevant item, using it's UUID.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string",
"enum": [
"tool",
"test-method",
"task",
"included-activity",
"other"
]
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"uuid-ref",
"type"
],
"additionalProperties": false
}
{
"title": "OSCAL version",
"description": "OSCAL model version.",
"$id": "#/definitions/oscal-version",
"type": "string"
}
{
"title": "Party (organization or person)",
"description": "A responsible entity, either singular (an organization or person) or collective (multiple persons)",
"$id": "#/definitions/party",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Party Type",
"description": "A category describing the kind of party the object describes.",
"type": "string",
"enum": [
"person",
"organization"
]
},
"party-name": {
"$ref": "#/definitions/party-name"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"external-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/external-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/address"
}
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"member-of-organizations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/member-of-organization"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"type",
"party-name"
],
"additionalProperties": false
}
{
"title": "Party Name",
"description": "The full (legal) name of the party.",
"$id": "#/definitions/party-name",
"type": "string"
}
{
"title": "Party Reference",
"description": "References a party defined in metadata.",
"$id": "#/definitions/party-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Telephone",
"description": "Contact number by telephone",
"$id": "#/definitions/phone",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of phone number.",
"type": "string"
},
"number": {
"type": "string"
}
},
"required": [
"number"
],
"additionalProperties": false
}
{
"title": "Plan of Action and Milestones (POA&M)",
"description": "A plan of action and milestones, such as those required by FedRAMP.",
"$id": "#/definitions/plan-of-action-and-milestones",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"metadata": {
"$ref": "#/definitions/metadata"
},
"import-ssp": {
"$ref": "#/definitions/import-ssp"
},
"system-id": {
"$ref": "#/definitions/system-id"
},
"local-definitions": {
"$ref": "#/definitions/local-definitions"
},
"results": {
"$ref": "#/definitions/results"
},
"back-matter": {
"$ref": "#/definitions/back-matter"
}
},
"required": [
"uuid",
"metadata",
"results"
],
"additionalProperties": false
}
{
"title": "Port Range",
"description": "Where applicable this is the IPv4 port range on which the service operates.",
"$id": "#/definitions/port-range",
"type": "object",
"properties": {
"start": {
"title": "Start",
"description": "Indicates the starting port number in a port range",
"type": "integer",
"multipleOf": 1,
"minimum": 0
},
"end": {
"title": "End",
"description": "Indicates the ending port number in a port range",
"type": "integer",
"multipleOf": 1,
"minimum": 0
},
"transport": {
"title": "Transport",
"description": "Indicates the transport type.",
"type": "string",
"enum": [
"TCP",
"UDP"
]
}
},
"additionalProperties": false
}
{
"title": "Postal Code",
"description": "Postal or ZIP code for mailing address",
"$id": "#/definitions/postal-code",
"type": "string"
}
{
"title": "Property",
"description": "A value with a name, attributed to the containing control, part, or group.",
"$id": "#/definitions/prop",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"name"
],
"additionalProperties": false
}
{
"title": "Protocol",
"description": "Information about the protocol used to provide a service.",
"$id": "#/definitions/protocol",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"name": {
"description": "The short name of the protocol (e.g., TLS).",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"port-ranges": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/port-range"
}
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Publication Timestamp",
"description": "The date and time this document was published.",
"$id": "#/definitions/published",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Purpose",
"description": "Describes the purpose for the service within the system.",
"$id": "#/definitions/purpose",
"type": "string"
}
{
"title": "Relevant Evidence",
"description": "Links this observation to relevant evidence.",
"$id": "#/definitions/relevant-evidence",
"type": "object",
"properties": {
"href": {
"description": "Links to evidence as URI. May use a URI fragment to point to a resource in the back-matter.",
"type": "string",
"format": "uri-reference"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"description"
],
"additionalProperties": false
}
{
"title": "Remarks",
"description": "Additional commentary on the parent item.",
"$id": "#/definitions/remarks",
"type": "string"
}
{
"title": "Remediation",
"description": "Describes either recommendation or an actual plan for remediating the risk.",
"$id": "#/definitions/remediation",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"origins": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/remediation-origin"
}
},
"requirements": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/required"
}
},
"schedule": {
"$ref": "#/definitions/schedule"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"title",
"description"
],
"additionalProperties": false
}
{
"title": "Remediation Origin",
"description": "Points to the source of the remediation recommendation or plan",
"$id": "#/definitions/remediation-origin",
"type": "object",
"properties": {
"uuid-ref": {
"title": "UUID Reference",
"description": "A pointer to a relevant item, using it's UUID.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"uuid-ref"
],
"additionalProperties": false
}
{
"title": "Remediation Tracking",
"description": "A log of events and actions taken towards the remediation of the associated risk.",
"$id": "#/definitions/remediation-tracking",
"type": "object",
"properties": {
"tracking-entries": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/tracking-entry"
}
}
},
"required": [
"tracking-entries"
],
"additionalProperties": false
}
{
"title": "Required",
"description": "Identifies something required to achieve remediation.",
"$id": "#/definitions/required",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"subject-references": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/subject-reference"
}
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Resource",
"description": "A resource associated with the present document, which may be a pointer to other data or a citation.",
"$id": "#/definitions/resource",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"citation": {
"$ref": "#/definitions/citation"
},
"rlinks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/rlink"
}
},
"attachments": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/base64"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Responsible Party",
"description": "A reference to a set of organizations or persons that have responsibility for performing a referenced role relative to the parent context.",
"$id": "#/definitions/responsible-party",
"type": "object",
"properties": {
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"party-uuids"
],
"additionalProperties": false
}
{
"title": "Responsible Role",
"description": "A reference to one or more roles with responsibility for performing a function relative to the control.",
"$id": "#/definitions/responsible-role",
"type": "object",
"properties": {
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"party-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Result",
"description": "A brief indication as to whether the objective is satisfied or not.",
"$id": "#/definitions/result",
"type": "object",
"properties": {
"system": {
"title": "Assessment System",
"description": "Identifies the framework or rules to which this value conforms.",
"type": "string",
"format": "uri"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE"
],
"additionalProperties": false
}
{
"title": "Assessment Results",
"description": "Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.",
"$id": "#/definitions/results",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"start": {
"$ref": "#/definitions/start"
},
"end": {
"$ref": "#/definitions/end"
},
"findings": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/finding"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"title",
"description",
"start",
"end",
"findings"
],
"additionalProperties": false
}
{
"title": "Revision History Entry",
"description": "An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).",
"$id": "#/definitions/revision",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Identified Risk",
"description": "An identified risk.",
"$id": "#/definitions/risk",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"risk-metrics": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/risk-metric"
}
},
"risk-statement": {
"$ref": "#/definitions/risk-statement"
},
"mitigating-factors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/mitigating-factor"
}
},
"remediation-group": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/remediation"
}
},
"risk-status": {
"$ref": "#/definitions/risk-status"
},
"closure-actions": {
"$ref": "#/definitions/closure-actions"
},
"remediation-tracking": {
"$ref": "#/definitions/remediation-tracking"
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
}
},
"required": [
"uuid",
"title",
"description",
"risk-statement",
"risk-status"
],
"additionalProperties": false
}
{
"title": "Risk Metric",
"description": "An individual risk metric from a specified system.",
"$id": "#/definitions/risk-metric",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"system": {
"title": "System",
"description": "Specifies the system represented by this risk metric.",
"type": "string"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"name"
],
"additionalProperties": false
}
{
"title": "Risk Statement",
"description": "Describes the risk.",
"$id": "#/definitions/risk-statement",
"type": "string"
}
{
"title": "Status",
"description": "Describes the status of the associated risk.",
"$id": "#/definitions/risk-status",
"type": "string"
}
{
"title": "Resource link",
"description": "A pointer to an external copy of a document with optional hash for verification",
"$id": "#/definitions/rlink",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"hashes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/hash"
}
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Role",
"description": "Defining a role to be assigned to a party",
"$id": "#/definitions/role",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"id",
"title"
],
"additionalProperties": false
}
{
"title": "Role Identifier Reference",
"description": "A reference to the roles served by the user.",
"$id": "#/definitions/role-id",
"type": "string"
}
{
"title": "Schedule",
"description": "Identifies the schedule for the assessment activities.",
"$id": "#/definitions/schedule",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"tasks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/task"
}
}
},
"required": [
"tasks"
],
"additionalProperties": false
}
{
"title": "short-name",
"description": "A common name, short name or acronym",
"$id": "#/definitions/short-name",
"type": "string"
}
{
"title": "Start",
"description": "Identifies the start of a task.",
"$id": "#/definitions/start",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "State",
"description": "State, province or analogous geographical region for mailing address",
"$id": "#/definitions/state",
"type": "string"
}
{
"title": "Status",
"description": "Describes the operational status of the system.",
"$id": "#/definitions/status",
"type": "object",
"properties": {
"state": {
"title": "State",
"description": "The current operating status.",
"type": "string",
"enum": [
"operational",
"under-development",
"under-major-modification",
"disposition",
"other"
]
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"state"
],
"additionalProperties": false
}
{
"title": "Identifies the Subject",
"description": "A pointer to a resource based on its ID. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.",
"$id": "#/definitions/subject-reference",
"type": "object",
"properties": {
"uuid-ref": {
"title": "UUID Reference",
"description": "A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"props": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
}
},
"required": [
"uuid-ref",
"type"
],
"additionalProperties": false
}
{
"title": "System Identification",
"description": "A unique identifier for the system described by this system security plan.",
"$id": "#/definitions/system-id",
"type": "object",
"properties": {
"identifier-type": {
"title": "Identification System Type",
"description": "Identifies the identification system from which the provided identifier was assigned.",
"type": "string",
"format": "uri"
},
"id": {
"type": "string"
}
},
"required": [
"id"
],
"additionalProperties": false
}
{
"title": "Task",
"description": "Identifies an individual task.",
"$id": "#/definitions/task",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"start": {
"$ref": "#/definitions/start"
},
"end": {
"$ref": "#/definitions/end"
},
"activity-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/activity-uuid"
}
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"compare-to": {
"$ref": "#/definitions/compare-to"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Text",
"description": "A line of textual content whose semantic is determined by the context of use.",
"$id": "#/definitions/text",
"type": "string"
}
{
"title": "Threat ID",
"description": "A pointer, by ID, to an externally-defined threat.",
"$id": "#/definitions/threat-id",
"type": "object",
"properties": {
"system": {
"title": "Threat Type Identification System",
"description": "Specifies the source of the threat information.",
"type": "string",
"format": "uri"
},
"uri": {
"title": "URI",
"description": "An optional location for the threat data, from which this ID originates.",
"type": "string",
"format": "uri"
},
"STRVALUE": {
"type": "string"
}
},
"required": [
"STRVALUE",
"system"
],
"additionalProperties": false
}
{
"title": "Title",
"description": "A title for display and navigation",
"$id": "#/definitions/title",
"type": "string"
}
{
"title": "Tracking Entry",
"description": "Individual remediation tracking entry, which logs an event or action taken towards the remediation of the associated risk.",
"$id": "#/definitions/tracking-entry",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"date-time-stamp": {
"$ref": "#/definitions/date-time-stamp"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"date-time-stamp",
"description"
],
"additionalProperties": false
}
{
"title": "URL",
"description": "URL for web site or Internet presence",
"$id": "#/definitions/url",
"type": "string",
"format": "uri"
}
{
"title": "Document version",
"description": "The version of the document content.",
"$id": "#/definitions/version",
"type": "string"
}
OSCAL Profile Metaschema
{
"title": "Addition",
"description": "Specifies contents to be added into controls, in resolution",
"$id": "#/definitions/add",
"type": "object",
"properties": {
"position": {
"title": "Position",
"description": "Where to add the new content with respect to the targeted element (beside it or inside it)",
"type": "string",
"enum": [
"before",
"after",
"starting",
"ending"
]
},
"id-ref": {
"title": "Reference by ID",
"description": "Target location of the addition.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"parameters": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/param"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"parts": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/part"
}
}
},
"additionalProperties": false
}
{
"title": "Address line",
"description": "A single line of an address.",
"$id": "#/definitions/addr-line",
"type": "string"
}
{
"title": "Address",
"description": "A postal address.",
"$id": "#/definitions/address",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of address.",
"type": "string"
},
"postal-address": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/addr-line"
}
},
"city": {
"$ref": "#/definitions/city"
},
"state": {
"$ref": "#/definitions/state"
},
"postal-code": {
"$ref": "#/definitions/postal-code"
},
"country": {
"$ref": "#/definitions/country"
}
},
"additionalProperties": false
}
{
"title": "Include all",
"description": "Include all controls from the imported resource (catalog)",
"$id": "#/definitions/all",
"type": "object",
"properties": {
"with-child-controls": {
"title": "Include contained controls with control",
"description": "When a control is included, whether its child (dependent) controls are also included.",
"type": "string",
"enum": [
"yes",
"no"
]
}
},
"additionalProperties": false
}
{
"title": "Alteration",
"description": "An Alter element specifies changes to be made to an included control when a profile is resolved.",
"$id": "#/definitions/alter",
"type": "object",
"properties": {
"control-id": {
"title": "Control ID",
"description": "Value of the 'id' flag on a target control",
"type": "string"
},
"removals": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/remove"
}
},
"additions": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/add"
}
}
},
"additionalProperties": false
}
{
"title": "Annotation",
"description": "A name/value pair with optional explanatory remarks.",
"$id": "#/definitions/annotation",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"value": {
"title": "Value",
"description": "Indicates the value of the characteristic.",
"type": "string"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "As is",
"description": "An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes.",
"$id": "#/definitions/as-is",
"type": "boolean"
}
{
"title": "Back matter",
"description": "A collection of citations and resource references.",
"$id": "#/definitions/back-matter",
"type": "object",
"properties": {
"resources": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/resource"
}
}
},
"additionalProperties": false
}
{
"title": "Base64",
"description": "",
"$id": "#/definitions/base64",
"type": "object",
"properties": {
"filename": {
"title": "File Name",
"description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value"
],
"additionalProperties": false
}
{
"title": "Bibliographic Definition",
"description": "A container in which a set of bibliographic information can included. The model of this information is undefined by OSCAL.",
"$id": "#/definitions/biblio",
"type": "object",
"additionalProperties": false
}
{
"title": "Call",
"description": "Call a control by its ID",
"$id": "#/definitions/call",
"type": "object",
"properties": {
"control-id": {
"title": "Control ID",
"description": "Value of the 'id' flag on a target control",
"type": "string"
},
"with-child-controls": {
"title": "Include contained controls with control",
"description": "When a control is included, whether its child (dependent) controls are also included.",
"type": "string",
"enum": [
"yes",
"no"
]
}
},
"required": [
"control-id"
],
"additionalProperties": false
}
{
"title": "Choice",
"description": "A value selection among several such options",
"$id": "#/definitions/choice",
"type": "string"
}
{
"title": "Citation",
"description": "A citation consisting of end note text and optional structured bibliographic data.",
"$id": "#/definitions/citation",
"type": "object",
"properties": {
"text": {
"$ref": "#/definitions/text"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"biblio": {
"$ref": "#/definitions/biblio"
}
},
"required": [
"text"
],
"additionalProperties": false
}
{
"title": "City",
"description": "City, town or geographical region for mailing address",
"$id": "#/definitions/city",
"type": "string"
}
{
"title": "Combination rule",
"description": "A Combine element defines whether and how to combine multiple (competing) versions of the same control",
"$id": "#/definitions/combine",
"type": "object",
"properties": {
"method": {
"title": "Combination method",
"description": "How clashing controls should be handled",
"type": "string",
"enum": [
"use-first",
"merge",
"keep"
]
}
},
"additionalProperties": false
}
{
"title": "Constraint",
"description": "A formal or informal expression of a constraint or test",
"$id": "#/definitions/constraint",
"type": "object",
"properties": {
"test": {
"title": "Constraint test",
"description": "A formal (executable) expression of a constraint",
"type": "string"
},
"detail": {
"type": "string"
}
},
"required": [
"detail"
],
"additionalProperties": false
}
{
"title": "Country",
"description": "Country for mailing address",
"$id": "#/definitions/country",
"type": "string"
}
{
"title": "Custom grouping",
"description": "A Custom element frames a structure for embedding represented controls in resolution.",
"$id": "#/definitions/custom",
"type": "object",
"properties": {
"groups": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/group"
}
},
"id-selectors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/call"
}
},
"pattern-selectors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/match"
}
}
},
"additionalProperties": false
}
{
"title": "Description",
"description": "A short textual description",
"$id": "#/definitions/desc",
"type": "string"
}
{
"title": "Document Identifier",
"description": "A document identifier qualified by an identifier type.",
"$id": "#/definitions/doc-id",
"type": "object",
"properties": {
"type": {
"description": "Qualifies the kind of document identifier.",
"type": "string"
},
"identifier": {
"type": "string"
}
},
"required": [
"identifier",
"type"
],
"additionalProperties": false
}
{
"title": "Email",
"description": "Email address",
"$id": "#/definitions/email",
"type": "string",
"format": "email",
"pattern": "^.+@.+"
}
{
"title": "Exclude controls",
"description": "Which controls to exclude from the resource (source catalog) being imported",
"$id": "#/definitions/exclude",
"type": "object",
"properties": {
"id-selectors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/call"
}
},
"pattern-selectors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/match"
}
}
},
"additionalProperties": false
}
{
"title": "Personal Identifier",
"description": "An identifier for a person (such as an ORCID) using a designated scheme.",
"$id": "#/definitions/external-id",
"type": "object",
"properties": {
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"id": {
"type": "string"
}
},
"required": [
"id",
"type"
],
"additionalProperties": false
}
{
"title": "Control group",
"description": "As in catalogs, a group of (selected) controls or of groups of controls",
"$id": "#/definitions/group",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"parameters": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/param"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"parts": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/part"
}
},
"groups": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/group"
}
},
"id-selectors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/call"
}
},
"pattern-selectors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/match"
}
}
},
"additionalProperties": false
}
{
"title": "Guideline",
"description": "A prose statement that provides a recommendation for the use of a parameter.",
"$id": "#/definitions/guideline",
"type": "object",
"properties": {
"prose": {
"$ref": "#/definitions/prose"
}
},
"additionalProperties": false
}
{
"title": "Hash",
"description": "A representation of a cryptographic digest generated over a resource using a hash algorithm.",
"$id": "#/definitions/hash",
"type": "object",
"properties": {
"algorithm": {
"title": "Hash algorithm",
"description": "Method by which a hash is derived",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"algorithm"
],
"additionalProperties": false
}
{
"title": "Import resource",
"description": "An Import element designates a catalog, profile, or other resource to be included (referenced and potentially modified) by this profile.",
"$id": "#/definitions/import",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"include": {
"$ref": "#/definitions/include"
},
"exclude": {
"$ref": "#/definitions/exclude"
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Include controls",
"description": "Specifies which controls to include from the resource (source catalog) being imported",
"$id": "#/definitions/include",
"type": "object",
"properties": {
"all": {
"$ref": "#/definitions/all"
},
"id-selectors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/call"
}
},
"pattern-selectors": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/match"
}
}
},
"additionalProperties": false
}
{
"title": "Parameter label",
"description": "A placeholder for a missing value, in display.",
"$id": "#/definitions/label",
"type": "string"
}
{
"title": "Last modified timestamp",
"description": "Date and time of last modification.",
"$id": "#/definitions/last-modified",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Link",
"description": "A reference to a local or remote resource",
"$id": "#/definitions/link",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"rel": {
"title": "Relation",
"description": "Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.",
"type": "string"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"text": {
"type": "string"
}
},
"required": [
"text",
"href"
],
"additionalProperties": false
}
{
"title": "Location",
"description": "A location, with associated metadata that can be referenced.",
"$id": "#/definitions/location",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"address": {
"$ref": "#/definitions/address"
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"URLs": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/url"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"address"
],
"additionalProperties": false
}
{
"title": "Location Reference",
"description": "References a location defined in metadata.",
"$id": "#/definitions/location-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Match controls by identifier",
"description": "Select controls by (regular expression) match on ID",
"$id": "#/definitions/match",
"type": "object",
"properties": {
"pattern": {
"title": "Pattern",
"description": "A regular expression matching the IDs of one or more controls to be selected",
"type": "string"
},
"order": {
"title": "Order",
"description": "A designation of how a selection of controls in a profile is to be ordered.",
"type": "string",
"enum": [
"keep",
"ascending",
"descending"
]
},
"with-child-controls": {
"title": "Include contained controls with control",
"description": "When a control is included, whether its child (dependent) controls are also included.",
"type": "string",
"enum": [
"yes",
"no"
]
}
},
"additionalProperties": false
}
{
"title": "Organizational Affiliation",
"description": "Identifies that the containing object is a member of the organization associated with the provided UUID.",
"$id": "#/definitions/member-of-organization",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Merge controls",
"description": "A Merge element merges controls in resolution.",
"$id": "#/definitions/merge",
"type": "object",
"properties": {
"combine": {
"$ref": "#/definitions/combine"
},
"as-is": {
"$ref": "#/definitions/as-is"
},
"custom": {
"$ref": "#/definitions/custom"
}
},
"additionalProperties": false
}
{
"title": "Publication metadata",
"description": "Provides information about the publication and availability of the containing document.",
"$id": "#/definitions/metadata",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"revision-history": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/revision"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"roles": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role"
}
},
"locations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location"
}
},
"parties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"title",
"last-modified",
"version",
"oscal-version"
],
"additionalProperties": false
}
{
"title": "Modify controls",
"description": "Set parameters or amend controls in resolution",
"$id": "#/definitions/modify",
"type": "object",
"properties": {
"parameter-settings": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/set-parameter"
},
{
"not": {
"type": "string"
}
}
]
}
},
"alterations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/alter"
}
}
},
"additionalProperties": false
}
{
"title": "OSCAL version",
"description": "OSCAL model version.",
"$id": "#/definitions/oscal-version",
"type": "string"
}
{
"title": "Parameter",
"description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.",
"$id": "#/definitions/param",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"depends-on": {
"title": "Depends on",
"description": "Another parameter invoking this one",
"type": "string"
},
"label": {
"$ref": "#/definitions/label"
},
"descriptions": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/usage"
}
},
"constraints": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/constraint"
}
},
"guidance": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/guideline"
}
},
"value": {
"$ref": "#/definitions/value"
},
"select": {
"$ref": "#/definitions/select"
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
}
},
"required": [
"id"
],
"additionalProperties": false
}
{
"title": "Part",
"description": "A partition or component of a control or part",
"$id": "#/definitions/part",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"prose": {
"$ref": "#/definitions/prose"
},
"parts": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/part"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Party (organization or person)",
"description": "A responsible entity, either singular (an organization or person) or collective (multiple persons)",
"$id": "#/definitions/party",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Party Type",
"description": "A category describing the kind of party the object describes.",
"type": "string",
"enum": [
"person",
"organization"
]
},
"party-name": {
"$ref": "#/definitions/party-name"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"external-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/external-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/address"
}
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"member-of-organizations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/member-of-organization"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"type",
"party-name"
],
"additionalProperties": false
}
{
"title": "Party Name",
"description": "The full (legal) name of the party.",
"$id": "#/definitions/party-name",
"type": "string"
}
{
"title": "Party Reference",
"description": "References a party defined in metadata.",
"$id": "#/definitions/party-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Telephone",
"description": "Contact number by telephone",
"$id": "#/definitions/phone",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of phone number.",
"type": "string"
},
"number": {
"type": "string"
}
},
"required": [
"number"
],
"additionalProperties": false
}
{
"title": "Postal Code",
"description": "Postal or ZIP code for mailing address",
"$id": "#/definitions/postal-code",
"type": "string"
}
{
"title": "Profile",
"description": "Each OSCAL profile is defined by a Profile element",
"$id": "#/definitions/profile",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"metadata": {
"$ref": "#/definitions/metadata"
},
"imports": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/import"
}
},
"merge": {
"$ref": "#/definitions/merge"
},
"modify": {
"$ref": "#/definitions/modify"
},
"back-matter": {
"$ref": "#/definitions/back-matter"
}
},
"required": [
"uuid",
"metadata",
"imports"
],
"additionalProperties": false
}
{
"title": "Property",
"description": "A value with a name, attributed to the containing control, part, or group.",
"$id": "#/definitions/prop",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"name"
],
"additionalProperties": false
}
{
"title": "Prose",
"description": "Prose permits multiple paragraphs, lists, tables etc.",
"$id": "#/definitions/prose",
"type": "string"
}
{
"title": "Publication Timestamp",
"description": "The date and time this document was published.",
"$id": "#/definitions/published",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Remarks",
"description": "Additional commentary on the parent item.",
"$id": "#/definitions/remarks",
"type": "string"
}
{
"title": "Removal",
"description": "Specifies elements to be removed from a control, in resolution",
"$id": "#/definitions/remove",
"type": "object",
"properties": {
"name-ref": {
"title": "Reference by (assigned) name",
"description": "Items to remove, by assigned name",
"type": "string"
},
"class-ref": {
"title": "Reference by class",
"description": "Items to remove, by class. A token match.",
"type": "string"
},
"id-ref": {
"title": "Reference by ID",
"description": "Items to remove, indicated by their IDs",
"type": "string"
},
"item-name": {
"title": "References by item name or generic identifier",
"description": "Items to remove, by the name of the item's type, or generic identifier, e.g. title or prop",
"type": "string"
}
},
"additionalProperties": false
}
{
"title": "Resource",
"description": "A resource associated with the present document, which may be a pointer to other data or a citation.",
"$id": "#/definitions/resource",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"citation": {
"$ref": "#/definitions/citation"
},
"rlinks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/rlink"
}
},
"attachments": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/base64"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Responsible Party",
"description": "A reference to a set of organizations or persons that have responsibility for performing a referenced role relative to the parent context.",
"$id": "#/definitions/responsible-party",
"type": "object",
"properties": {
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"party-uuids"
],
"additionalProperties": false
}
{
"title": "Revision History Entry",
"description": "An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).",
"$id": "#/definitions/revision",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Resource link",
"description": "A pointer to an external copy of a document with optional hash for verification",
"$id": "#/definitions/rlink",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"hashes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/hash"
}
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Role",
"description": "Defining a role to be assigned to a party",
"$id": "#/definitions/role",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"id",
"title"
],
"additionalProperties": false
}
{
"title": "Selection",
"description": "Presenting a choice among alternatives",
"$id": "#/definitions/select",
"type": "object",
"properties": {
"how-many": {
"title": "Cardinality",
"description": "When selecting, a requirement such as one or more",
"type": "string"
},
"alternatives": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/choice"
}
}
},
"additionalProperties": false
}
{
"title": "Parameter Setting",
"description": "A parameter setting, to be propagated to points of insertion",
"$id": "#/definitions/set-parameter",
"type": "object",
"properties": {
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"depends-on": {
"title": "Depends on",
"description": "Another parameter invoking this one",
"type": "string"
},
"label": {
"$ref": "#/definitions/label"
},
"descriptions": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/usage"
}
},
"constraints": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/constraint"
}
},
"guidance": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/guideline"
}
},
"value": {
"$ref": "#/definitions/value"
},
"select": {
"$ref": "#/definitions/select"
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
}
},
"additionalProperties": false
}
{
"title": "short-name",
"description": "A common name, short name or acronym",
"$id": "#/definitions/short-name",
"type": "string"
}
{
"title": "State",
"description": "State, province or analogous geographical region for mailing address",
"$id": "#/definitions/state",
"type": "string"
}
{
"title": "Text",
"description": "A line of textual content whose semantic is determined by the context of use.",
"$id": "#/definitions/text",
"type": "string"
}
{
"title": "Title",
"description": "A title for display and navigation",
"$id": "#/definitions/title",
"type": "string"
}
{
"title": "URL",
"description": "URL for web site or Internet presence",
"$id": "#/definitions/url",
"type": "string",
"format": "uri"
}
{
"title": "Parameter description",
"description": "Indicates and explains the purpose and use of a parameter",
"$id": "#/definitions/usage",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"summary": {
"type": "string"
}
},
"required": [
"summary"
],
"additionalProperties": false
}
{
"title": "Value constraint",
"description": "Indicates a permissible value for a parameter or property",
"$id": "#/definitions/value",
"type": "string"
}
{
"title": "Document version",
"description": "The version of the document content.",
"$id": "#/definitions/version",
"type": "string"
}
OSCAL System Security Plan (SSP) Format
{
"title": "Address line",
"description": "A single line of an address.",
"$id": "#/definitions/addr-line",
"type": "string"
}
{
"title": "Address",
"description": "A postal address.",
"$id": "#/definitions/address",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of address.",
"type": "string"
},
"postal-address": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/addr-line"
}
},
"city": {
"$ref": "#/definitions/city"
},
"state": {
"$ref": "#/definitions/state"
},
"postal-code": {
"$ref": "#/definitions/postal-code"
},
"country": {
"$ref": "#/definitions/country"
}
},
"additionalProperties": false
}
{
"title": "Adjustment Justification",
"description": "If the selected security level is different from the base security level, this contains the justification for the change.",
"$id": "#/definitions/adjustment-justification",
"type": "string"
}
{
"title": "Annotation",
"description": "A name/value pair with optional explanatory remarks.",
"$id": "#/definitions/annotation",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"value": {
"title": "Value",
"description": "Indicates the value of the characteristic.",
"type": "string"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Authorization Boundary",
"description": "A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.",
"$id": "#/definitions/authorization-boundary",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"diagrams": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/diagram"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"description"
],
"additionalProperties": false
}
{
"title": "Privilege",
"description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.",
"$id": "#/definitions/authorized-privilege",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"functions-performed": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/function-performed"
}
}
},
"required": [
"title",
"functions-performed"
],
"additionalProperties": false
}
{
"title": "Availability Impact Level",
"description": "The expected level of impact resulting from the disruption of access to or use of information or the information system.",
"$id": "#/definitions/availability-impact",
"type": "object",
"properties": {
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"base": {
"$ref": "#/definitions/base"
},
"selected": {
"$ref": "#/definitions/selected"
},
"adjustment-justification": {
"$ref": "#/definitions/adjustment-justification"
}
},
"required": [
"base"
],
"additionalProperties": false
}
{
"title": "Back matter",
"description": "A collection of citations and resource references.",
"$id": "#/definitions/back-matter",
"type": "object",
"properties": {
"resources": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/resource"
}
}
},
"additionalProperties": false
}
{
"title": "Base Level (Confidentiality, Integrity, or Availability)",
"description": "The prescribed base (Confidentiality, Integrity, or Availability) security impact level.",
"$id": "#/definitions/base",
"type": "string",
"enum": [
"fips-199-low",
"fips-199-moderate",
"fips-199-high"
]
}
{
"title": "Base64",
"description": "",
"$id": "#/definitions/base64",
"type": "object",
"properties": {
"filename": {
"title": "File Name",
"description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value"
],
"additionalProperties": false
}
{
"title": "Bibliographic Definition",
"description": "A container in which a set of bibliographic information can included. The model of this information is undefined by OSCAL.",
"$id": "#/definitions/biblio",
"type": "object",
"additionalProperties": false
}
{
"title": "Component Control Implementation",
"description": "Defines how the referenced component implements a set of controls.",
"$id": "#/definitions/by-component",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-roles": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-role"
},
{
"not": {
"type": "string"
}
}
]
}
},
"parameter-settings": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/set-parameter"
},
{
"not": {
"type": "string"
}
}
]
}
}
},
"required": [
"uuid",
"description"
],
"additionalProperties": false
}
{
"title": "Caption",
"description": "A brief caption to annotate the diagram.",
"$id": "#/definitions/caption",
"type": "string"
}
{
"title": "Citation",
"description": "A citation consisting of end note text and optional structured bibliographic data.",
"$id": "#/definitions/citation",
"type": "object",
"properties": {
"text": {
"$ref": "#/definitions/text"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"biblio": {
"$ref": "#/definitions/biblio"
}
},
"required": [
"text"
],
"additionalProperties": false
}
{
"title": "City",
"description": "City, town or geographical region for mailing address",
"$id": "#/definitions/city",
"type": "string"
}
{
"title": "Component",
"description": "A defined component that can be part of an implemented system.",
"$id": "#/definitions/component",
"type": "object",
"properties": {
"component-type": {
"title": "Component Type",
"description": "A category describing the purpose of the component.",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"purpose": {
"$ref": "#/definitions/purpose"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"status": {
"$ref": "#/definitions/status"
},
"responsible-roles": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-role"
},
{
"not": {
"type": "string"
}
}
]
}
},
"protocols": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/protocol"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"component-type",
"title",
"description",
"status"
],
"additionalProperties": false
}
{
"title": "Confidentiality Impact Level",
"description": "The expected level of impact resulting from the unauthorized disclosure of information.",
"$id": "#/definitions/confidentiality-impact",
"type": "object",
"properties": {
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"base": {
"$ref": "#/definitions/base"
},
"selected": {
"$ref": "#/definitions/selected"
},
"adjustment-justification": {
"$ref": "#/definitions/adjustment-justification"
}
},
"required": [
"base"
],
"additionalProperties": false
}
{
"title": "Control Implementation",
"description": "Describes how the system satisfies a set of controls.",
"$id": "#/definitions/control-implementation",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"implemented-requirements": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/implemented-requirement"
}
}
},
"required": [
"description",
"implemented-requirements"
],
"additionalProperties": false
}
{
"title": "Country",
"description": "Country for mailing address",
"$id": "#/definitions/country",
"type": "string"
}
{
"title": "Data Flow",
"description": "A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.",
"$id": "#/definitions/data-flow",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"diagrams": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/diagram"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"description"
],
"additionalProperties": false
}
{
"title": "System Authorization Date",
"description": "The date this system received its authorization.",
"$id": "#/definitions/date-authorized",
"type": "string",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))(Z|[+-][0-9]{2}:[0-9]{2})?$"
}
{
"title": "Description",
"description": "A short textual description",
"$id": "#/definitions/desc",
"type": "string"
}
{
"title": "Description",
"description": "A description supporting the parent item.",
"$id": "#/definitions/description",
"type": "string"
}
{
"title": "Diagram",
"description": "A graphic that provides a visual representation the system, or some aspect of it.",
"$id": "#/definitions/diagram",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"caption": {
"$ref": "#/definitions/caption"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Document Identifier",
"description": "A document identifier qualified by an identifier type.",
"$id": "#/definitions/doc-id",
"type": "object",
"properties": {
"type": {
"description": "Qualifies the kind of document identifier.",
"type": "string"
},
"identifier": {
"type": "string"
}
},
"required": [
"identifier",
"type"
],
"additionalProperties": false
}
{
"title": "Email",
"description": "Email address",
"$id": "#/definitions/email",
"type": "string",
"format": "email",
"pattern": "^.+@.+"
}
{
"title": "Personal Identifier",
"description": "An identifier for a person (such as an ORCID) using a designated scheme.",
"$id": "#/definitions/external-id",
"type": "object",
"properties": {
"type": {
"title": "Type",
"description": "Indicating the type of identifier, address, email or other data item.",
"type": "string"
},
"id": {
"type": "string"
}
},
"required": [
"id",
"type"
],
"additionalProperties": false
}
{
"title": "Functions Performed",
"description": "Describes a function performed for a given authorized privilege by this user class.",
"$id": "#/definitions/function-performed",
"type": "string"
}
{
"title": "Hash",
"description": "A representation of a cryptographic digest generated over a resource using a hash algorithm.",
"$id": "#/definitions/hash",
"type": "object",
"properties": {
"algorithm": {
"title": "Hash algorithm",
"description": "Method by which a hash is derived",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"algorithm"
],
"additionalProperties": false
}
{
"title": "Implemented Component",
"description": "The set of componenets that are implemented in a given system inventory item.",
"$id": "#/definitions/implemented-component",
"type": "object",
"properties": {
"use": {
"title": "Implementation Use Type",
"description": "The type of implementation",
"type": "string"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Control-based Requirement",
"description": "Describes how the system satisfies an individual control.",
"$id": "#/definitions/implemented-requirement",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"control-id": {
"title": "Control Identifier Reference",
"description": "A reference to a control identifier.",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"by-components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/by-component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"responsible-roles": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-role"
},
{
"not": {
"type": "string"
}
}
]
}
},
"parameter-settings": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/set-parameter"
},
{
"not": {
"type": "string"
}
}
]
}
},
"statements": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/statement"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"control-id"
],
"additionalProperties": false
}
{
"title": "Import Profile",
"description": "Used to import the OSCAL profile representing the system's control baseline.",
"$id": "#/definitions/import-profile",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Information Type",
"description": "Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.",
"$id": "#/definitions/information-type",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"description": {
"$ref": "#/definitions/description"
},
"information-type-ids": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/information-type-id"
},
{
"not": {
"type": "string"
}
}
]
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"confidentiality-impact": {
"$ref": "#/definitions/confidentiality-impact"
},
"integrity-impact": {
"$ref": "#/definitions/integrity-impact"
},
"availability-impact": {
"$ref": "#/definitions/availability-impact"
}
},
"required": [
"title",
"description",
"confidentiality-impact",
"integrity-impact",
"availability-impact"
],
"additionalProperties": false
}
{
"title": "Information Type Identifier",
"description": "An identifier qualified by the given identification system used, such as NIST SP 800-60.",
"$id": "#/definitions/information-type-id",
"type": "object",
"properties": {
"id": {
"type": "string"
}
},
"required": [
"id"
],
"additionalProperties": false
}
{
"title": "Integrity Impact Level",
"description": "The expected level of impact resulting from the unauthorized modification of information.",
"$id": "#/definitions/integrity-impact",
"type": "object",
"properties": {
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"base": {
"$ref": "#/definitions/base"
},
"selected": {
"$ref": "#/definitions/selected"
},
"adjustment-justification": {
"$ref": "#/definitions/adjustment-justification"
}
},
"required": [
"base"
],
"additionalProperties": false
}
{
"title": "Inventory Item",
"description": "A single managed inventory item within the system.",
"$id": "#/definitions/inventory-item",
"type": "object",
"properties": {
"asset-id": {
"title": "Asset Identifier",
"description": "Organizational asset identifier that is unique in the context of the system. This may be a reference to the identifier used in an asset tracking system or a vulnerability scanning tool.",
"type": "string"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"implemented-components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/implemented-component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"asset-id",
"description"
],
"additionalProperties": false
}
{
"title": "Last modified timestamp",
"description": "Date and time of last modification.",
"$id": "#/definitions/last-modified",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Leveraged Authorization",
"description": "A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider.",
"$id": "#/definitions/leveraged-authorization",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"party-uuid": {
"$ref": "#/definitions/party-uuid"
},
"date-authorized": {
"$ref": "#/definitions/date-authorized"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"title",
"party-uuid",
"date-authorized"
],
"additionalProperties": false
}
{
"title": "Link",
"description": "A reference to a local or remote resource",
"$id": "#/definitions/link",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"rel": {
"title": "Relation",
"description": "Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.",
"type": "string"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"text": {
"type": "string"
}
},
"required": [
"text",
"href"
],
"additionalProperties": false
}
{
"title": "Location",
"description": "A location, with associated metadata that can be referenced.",
"$id": "#/definitions/location",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"address": {
"$ref": "#/definitions/address"
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"URLs": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/url"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"address"
],
"additionalProperties": false
}
{
"title": "Location Reference",
"description": "References a location defined in metadata.",
"$id": "#/definitions/location-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Organizational Affiliation",
"description": "Identifies that the containing object is a member of the organization associated with the provided UUID.",
"$id": "#/definitions/member-of-organization",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Publication metadata",
"description": "Provides information about the publication and availability of the containing document.",
"$id": "#/definitions/metadata",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"revision-history": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/revision"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"roles": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role"
}
},
"locations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location"
}
},
"parties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party"
}
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"title",
"last-modified",
"version",
"oscal-version"
],
"additionalProperties": false
}
{
"title": "Network Architecture",
"description": "A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.",
"$id": "#/definitions/network-architecture",
"type": "object",
"properties": {
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"diagrams": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/diagram"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"description"
],
"additionalProperties": false
}
{
"title": "OSCAL version",
"description": "OSCAL model version.",
"$id": "#/definitions/oscal-version",
"type": "string"
}
{
"title": "Party (organization or person)",
"description": "A responsible entity, either singular (an organization or person) or collective (multiple persons)",
"$id": "#/definitions/party",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"type": {
"title": "Party Type",
"description": "A category describing the kind of party the object describes.",
"type": "string",
"enum": [
"person",
"organization"
]
},
"party-name": {
"$ref": "#/definitions/party-name"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"external-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/external-id"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/address"
}
},
"email-addresses": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/email"
}
},
"telephone-numbers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/phone"
}
},
"member-of-organizations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/member-of-organization"
}
},
"location-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/location-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid",
"type",
"party-name"
],
"additionalProperties": false
}
{
"title": "Party Name",
"description": "The full (legal) name of the party.",
"$id": "#/definitions/party-name",
"type": "string"
}
{
"title": "Party Reference",
"description": "References a party defined in metadata.",
"$id": "#/definitions/party-uuid",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
}
{
"title": "Telephone",
"description": "Contact number by telephone",
"$id": "#/definitions/phone",
"type": "object",
"properties": {
"type": {
"description": "Indicates the type of phone number.",
"type": "string"
},
"number": {
"type": "string"
}
},
"required": [
"number"
],
"additionalProperties": false
}
{
"title": "Port Range",
"description": "Where applicable this is the IPv4 port range on which the service operates.",
"$id": "#/definitions/port-range",
"type": "object",
"properties": {
"start": {
"title": "Start",
"description": "Indicates the starting port number in a port range",
"type": "integer",
"multipleOf": 1,
"minimum": 0
},
"end": {
"title": "End",
"description": "Indicates the ending port number in a port range",
"type": "integer",
"multipleOf": 1,
"minimum": 0
},
"transport": {
"title": "Transport",
"description": "Indicates the transport type.",
"type": "string",
"enum": [
"TCP",
"UDP"
]
}
},
"additionalProperties": false
}
{
"title": "Postal Code",
"description": "Postal or ZIP code for mailing address",
"$id": "#/definitions/postal-code",
"type": "string"
}
{
"title": "Property",
"description": "A value with a name, attributed to the containing control, part, or group.",
"$id": "#/definitions/prop",
"type": "object",
"properties": {
"name": {
"title": "Name",
"description": "Identifying the purpose and intended use of the property, part or other object.",
"type": "string"
},
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"ns": {
"title": "Namespace",
"description": "A namespace qualifying the name.",
"type": "string"
},
"class": {
"title": "Class",
"description": "Indicating the type or classification of the containing object",
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"value",
"name"
],
"additionalProperties": false
}
{
"title": "Protocol",
"description": "Information about the protocol used to provide a service.",
"$id": "#/definitions/protocol",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"name": {
"description": "The short name of the protocol (e.g., TLS).",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"port-ranges": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/port-range"
}
}
},
"required": [
"name"
],
"additionalProperties": false
}
{
"title": "Publication Timestamp",
"description": "The date and time this document was published.",
"$id": "#/definitions/published",
"type": "string",
"format": "date-time",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$"
}
{
"title": "Purpose",
"description": "Describes the purpose for the service within the system.",
"$id": "#/definitions/purpose",
"type": "string"
}
{
"title": "Remarks",
"description": "Additional commentary on the parent item.",
"$id": "#/definitions/remarks",
"type": "string"
}
{
"title": "Resource",
"description": "A resource associated with the present document, which may be a pointer to other data or a citation.",
"$id": "#/definitions/resource",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"title": {
"$ref": "#/definitions/title"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"document-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/doc-id"
}
},
"citation": {
"$ref": "#/definitions/citation"
},
"rlinks": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/rlink"
}
},
"attachments": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/base64"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Responsible Party",
"description": "A reference to a set of organizations or persons that have responsibility for performing a referenced role relative to the parent context.",
"$id": "#/definitions/responsible-party",
"type": "object",
"properties": {
"party-uuids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"party-uuids"
],
"additionalProperties": false
}
{
"title": "Responsible Role",
"description": "A reference to one or more roles with responsibility for performing a function relative to the control.",
"$id": "#/definitions/responsible-role",
"type": "object",
"properties": {
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"party-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/party-uuid"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Revision History Entry",
"description": "An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).",
"$id": "#/definitions/revision",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"published": {
"$ref": "#/definitions/published"
},
"last-modified": {
"$ref": "#/definitions/last-modified"
},
"version": {
"$ref": "#/definitions/version"
},
"oscal-version": {
"$ref": "#/definitions/oscal-version"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"additionalProperties": false
}
{
"title": "Resource link",
"description": "A pointer to an external copy of a document with optional hash for verification",
"$id": "#/definitions/rlink",
"type": "object",
"properties": {
"href": {
"title": "hypertext reference",
"description": "A link to a document or document fragment (actual, nominal or projected)",
"type": "string",
"format": "uri-reference"
},
"media-type": {
"title": "Media type",
"description": "Describes the media type of the linked resource",
"type": "string"
},
"hashes": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/hash"
}
}
},
"required": [
"href"
],
"additionalProperties": false
}
{
"title": "Role",
"description": "Defining a role to be assigned to a party",
"$id": "#/definitions/role",
"type": "object",
"properties": {
"id": {
"title": "Identifier",
"description": "Unique identifier of the containing object",
"type": "string"
},
"title": {
"$ref": "#/definitions/title"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"desc": {
"$ref": "#/definitions/desc"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"id",
"title"
],
"additionalProperties": false
}
{
"title": "Role Identifier Reference",
"description": "A reference to the roles served by the user.",
"$id": "#/definitions/role-id",
"type": "string"
}
{
"title": "Security Impact Level",
"description": "The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.",
"$id": "#/definitions/security-impact-level",
"type": "object",
"properties": {
"security-objective-confidentiality": {
"$ref": "#/definitions/security-objective-confidentiality"
},
"security-objective-integrity": {
"$ref": "#/definitions/security-objective-integrity"
},
"security-objective-availability": {
"$ref": "#/definitions/security-objective-availability"
}
},
"additionalProperties": false
}
{
"title": "Security Objective: Availability",
"description": "A target-level of availability for the system, based on the sensitivity of information within the system.",
"$id": "#/definitions/security-objective-availability",
"type": "string",
"enum": [
"fips-199-low",
"fips-199-moderate",
"fips-199-high"
]
}
{
"title": "Security Objective: Confidentiality",
"description": "A target-level of confidentiality for the system, based on the sensitivity of information within the system.",
"$id": "#/definitions/security-objective-confidentiality",
"type": "string",
"enum": [
"fips-199-low",
"fips-199-moderate",
"fips-199-high"
]
}
{
"title": "Security Objective: Integrity",
"description": "A target-level of integrity for the system, based on the sensitivity of information within the system.",
"$id": "#/definitions/security-objective-integrity",
"type": "string",
"enum": [
"fips-199-low",
"fips-199-moderate",
"fips-199-high"
]
}
{
"title": "Security Sensitivity Level",
"description": "The overall information system sensitivity categorization, such as defined by FIPS-199.",
"$id": "#/definitions/security-sensitivity-level",
"type": "string",
"enum": [
"low",
"moderate",
"high"
]
}
{
"title": "Selected Level (Confidentiality, Integrity, or Availability)",
"description": "The selected (Confidentiality, Integrity, or Availability) security impact level.",
"$id": "#/definitions/selected",
"type": "string",
"enum": [
"fips-199-low",
"fips-199-moderate",
"fips-199-high"
]
}
{
"title": "Set Parameter Value",
"description": "Identifies the parameter that will be filled in by the enclosed value element.",
"$id": "#/definitions/set-parameter",
"type": "object",
"properties": {
"value": {
"$ref": "#/definitions/value"
}
},
"required": [
"value"
],
"additionalProperties": false
}
{
"title": "short-name",
"description": "A common name, short name or acronym",
"$id": "#/definitions/short-name",
"type": "string"
}
{
"title": "State",
"description": "State, province or analogous geographical region for mailing address",
"$id": "#/definitions/state",
"type": "string"
}
{
"title": "Specific Statement",
"description": "Identifies which statements within a control are addressed.",
"$id": "#/definitions/statement",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"anyOf": [
{
"$ref": "#/definitions/annotation"
},
{
"type": "array",
"items": {
"$ref": "#/definitions/annotation"
},
"minItems": 2
}
]
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"responsible-roles": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-role"
},
{
"not": {
"type": "string"
}
}
]
}
},
"by-components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/by-component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"uuid"
],
"additionalProperties": false
}
{
"title": "Status",
"description": "Describes the operational status of the system.",
"$id": "#/definitions/status",
"type": "object",
"properties": {
"state": {
"title": "State",
"description": "The current operating status.",
"type": "string",
"enum": [
"operational",
"under-development",
"under-major-modification",
"disposition",
"other"
]
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"state"
],
"additionalProperties": false
}
{
"title": "System Characteristics",
"description": "Contains the characteristics of the system, such as its name, purpose, and security impact level.",
"$id": "#/definitions/system-characteristics",
"type": "object",
"properties": {
"system-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/system-id"
}
},
"system-name": {
"$ref": "#/definitions/system-name"
},
"system-name-short": {
"$ref": "#/definitions/system-name-short"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"date-authorized": {
"$ref": "#/definitions/date-authorized"
},
"security-sensitivity-level": {
"$ref": "#/definitions/security-sensitivity-level"
},
"system-information": {
"$ref": "#/definitions/system-information"
},
"security-impact-level": {
"$ref": "#/definitions/security-impact-level"
},
"status": {
"$ref": "#/definitions/status"
},
"authorization-boundary": {
"$ref": "#/definitions/authorization-boundary"
},
"network-architecture": {
"$ref": "#/definitions/network-architecture"
},
"data-flow": {
"$ref": "#/definitions/data-flow"
},
"responsible-parties": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/responsible-party"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"system-ids",
"system-name",
"description",
"security-sensitivity-level",
"system-information",
"security-impact-level",
"status",
"authorization-boundary"
],
"additionalProperties": false
}
{
"title": "System Identification",
"description": "A unique identifier for the system described by this system security plan.",
"$id": "#/definitions/system-id",
"type": "object",
"properties": {
"identifier-type": {
"title": "Identification System Type",
"description": "Identifies the identification system from which the provided identifier was assigned.",
"type": "string",
"format": "uri"
},
"id": {
"type": "string"
}
},
"required": [
"id"
],
"additionalProperties": false
}
{
"title": "System Implementation",
"description": "Provides information as to how the system is implemented.",
"$id": "#/definitions/system-implementation",
"type": "object",
"properties": {
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"leveraged-authorizations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/leveraged-authorization"
}
},
"users": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/user"
},
{
"not": {
"type": "string"
}
}
]
}
},
"components": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/component"
},
{
"not": {
"type": "string"
}
}
]
}
},
"system-inventory": {
"$ref": "#/definitions/system-inventory"
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"users"
],
"additionalProperties": false
}
{
"title": "System Information",
"description": "Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.",
"$id": "#/definitions/system-information",
"type": "object",
"properties": {
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"information-types": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/information-type"
}
}
},
"required": [
"information-types"
],
"additionalProperties": false
}
{
"title": "System Inventory",
"description": "A set of inventory-item entries that represent the managed inventory instances of the system.",
"$id": "#/definitions/system-inventory",
"type": "object",
"properties": {
"inventory-items": {
"type": "object",
"minProperties": 1,
"additionalProperties": {
"allOf": [
{
"type": "object",
"$ref": "#/definitions/inventory-item"
},
{
"not": {
"type": "string"
}
}
]
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"inventory-items"
],
"additionalProperties": false
}
{
"title": "System Name (Full)",
"description": "The full name of the system.",
"$id": "#/definitions/system-name",
"type": "string"
}
{
"title": "System Name (Short)",
"description": "A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.",
"$id": "#/definitions/system-name-short",
"type": "string"
}
{
"title": "System Security Plan (SSP)",
"description": "A system security plan, such as those described in NIST SP 800-18",
"$id": "#/definitions/system-security-plan",
"type": "object",
"properties": {
"uuid": {
"title": "Universally Unique Identifier",
"description": "A RFC 4122 version 4 Universally Unique Identifier (UUID) for the containing object.",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"metadata": {
"$ref": "#/definitions/metadata"
},
"import-profile": {
"$ref": "#/definitions/import-profile"
},
"system-characteristics": {
"$ref": "#/definitions/system-characteristics"
},
"system-implementation": {
"$ref": "#/definitions/system-implementation"
},
"control-implementation": {
"$ref": "#/definitions/control-implementation"
},
"back-matter": {
"$ref": "#/definitions/back-matter"
}
},
"required": [
"uuid",
"metadata",
"import-profile",
"system-characteristics",
"system-implementation",
"control-implementation"
],
"additionalProperties": false
}
{
"title": "Text",
"description": "A line of textual content whose semantic is determined by the context of use.",
"$id": "#/definitions/text",
"type": "string"
}
{
"title": "Title",
"description": "A title for display and navigation",
"$id": "#/definitions/title",
"type": "string"
}
{
"title": "URL",
"description": "URL for web site or Internet presence",
"$id": "#/definitions/url",
"type": "string",
"format": "uri"
}
{
"title": "System User Class",
"description": "A type of user that interacts with the system based on an associated role.",
"$id": "#/definitions/user",
"type": "object",
"properties": {
"title": {
"$ref": "#/definitions/title"
},
"short-name": {
"$ref": "#/definitions/short-name"
},
"description": {
"$ref": "#/definitions/description"
},
"properties": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/prop"
}
},
"annotations": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/annotation"
}
},
"links": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/link"
}
},
"role-ids": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/role-id"
}
},
"authorized-privileges": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/definitions/authorized-privilege"
}
},
"remarks": {
"$ref": "#/definitions/remarks"
}
},
"required": [
"role-ids"
],
"additionalProperties": false
}
{
"title": "Value",
"description": "The phrase or string that fills-in the parameter and completes the requirement statement.",
"$id": "#/definitions/value",
"type": "string"
}
{
"title": "Document version",
"description": "The version of the document content.",
"$id": "#/definitions/version",
"type": "string"
}