OSCAL Assessment Results (AR)

1.0.5

Schema URL

https://catalog.lintel.tools/schemas/schemastore/oscal-assessment-results-ar/versions/1.0.5.json
← Back to OSCAL Assessment Results (AR)
Type: object

Properties

assessment-results assembly_oscal-ar_assessment-results required

Definitions

oscal-ar-oscal-ar:assessment-results object

Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
metadata assembly_oscal-metadata_metadata required
import-ap assembly_oscal-ar_import-ap required
results assembly_oscal-ar_result[] required
minItems=1
local-definitions object

Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.

3 nested properties
objectives-and-methods assembly_oscal-assessment-common_local-objective[]
minItems=1
activities assembly_oscal-assessment-common_activity[]
minItems=1
remarks field_oscal-metadata_remarks
back-matter assembly_oscal-metadata_back-matter
oscal-ar-oscal-ar:result object

Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string required

The title for this set of results.

description string required

A human-readable description of this set of test results.

start string required
format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]*[1-9])?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
reviewed-controls assembly_oscal-assessment-common_reviewed-controls required
end string
format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]*[1-9])?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
local-definitions object

Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.

5 nested properties
components assembly_oscal-implementation-common_system-component[]
minItems=1
inventory-items assembly_oscal-implementation-common_inventory-item[]
minItems=1
users assembly_oscal-implementation-common_system-user[]
minItems=1
assessment-assets assembly_oscal-assessment-common_assessment-assets
tasks assembly_oscal-assessment-common_task[]
minItems=1
attestations object[]
minItems=1
assessment-log object

A log of all assessment-related actions taken.

1 nested properties
entries object[] required
minItems=1
observations assembly_oscal-assessment-common_observation[]
minItems=1
risks assembly_oscal-assessment-common_risk[]
minItems=1
findings assembly_oscal-ar_finding[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-ar:finding object

Describes an individual finding.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string required

The title for this finding.

description string required

A human-readable description of this finding.

target assembly_oscal-assessment-common_finding-target required
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
implementation-statement-uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
related-observations object[]
minItems=1
related-risks object[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-ar:import-ap object

Used by assessment-results to import information about the original plan for assessing the system.

href string required
format=uri-reference
remarks field_oscal-metadata_remarks
oscal-ar-oscal-metadata:metadata object

Provides information about the publication and availability of the containing document.

title string required

A name given to the document, which may be used by a tool for display and navigation.

last-modified field_oscal-metadata_last-modified required
version field_oscal-metadata_version required
oscal-version field_oscal-metadata_oscal-version required
published field_oscal-metadata_published
revisions assembly_oscal-metadata_revision[]
minItems=1
document-ids field_oscal-metadata_document-id[]
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
roles assembly_oscal-metadata_role[]
minItems=1
locations assembly_oscal-metadata_location[]
minItems=1
parties assembly_oscal-metadata_party[]
minItems=1
responsible-parties assembly_oscal-metadata_responsible-party[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-metadata:revision object

An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).

version field_oscal-metadata_version required
title string

A name given to the document revision, which may be used by a tool for display and navigation.

published field_oscal-metadata_published
last-modified field_oscal-metadata_last-modified
oscal-version field_oscal-metadata_oscal-version
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-metadata:location object

A location, with associated metadata that can be referenced.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
address assembly_oscal-metadata_address required
title string

A name given to the location, which may be used by a tool for display and navigation.

email-addresses field_oscal-metadata_email-address[]
minItems=1
telephone-numbers field_oscal-metadata_telephone-number[]
minItems=1
urls URIDatatype[]
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-metadata:location-uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

oscal-ar-oscal-metadata:party object

A responsible entity which is either a person or an organization.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type required

A category describing the kind of party the object describes.

All of: StringDatatype string, enum enum
name string
pattern=^\S(.*\S)?$
short-name string
pattern=^\S(.*\S)?$
external-ids object[]
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
email-addresses field_oscal-metadata_email-address[]
minItems=1
telephone-numbers field_oscal-metadata_telephone-number[]
minItems=1
addresses assembly_oscal-metadata_address[]
minItems=1
location-uuids field_oscal-metadata_location-uuid[]
minItems=1
member-of-organizations UUIDDatatype[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-metadata:party-uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

oscal-ar-oscal-metadata:role object

Defines a function assumed or expected to be assumed by a party in a specific situation.

id string required
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
title string required

A name given to the role, which may be used by a tool for display and navigation.

short-name string
pattern=^\S(.*\S)?$
description string

A summary of the role's purpose and associated responsibilities.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-metadata:role-id string
oscal-ar-oscal-metadata:back-matter object

A collection of resources, which may be included directly or by reference.

resources object[]
minItems=1
oscal-ar-oscal-metadata:property object

An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

name required

A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

All of: TokenDatatype string, enum enum
value string required
pattern=^\S(.*\S)?$
uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
ns string
format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$
class string
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
remarks field_oscal-metadata_remarks
oscal-ar-oscal-metadata:responsible-party object

A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

role-id string required
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
party-uuids field_oscal-metadata_party-uuid[] required
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-metadata:responsible-role object

A reference to one or more roles with responsibility for performing a function relative to the containing object.

role-id string required
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
party-uuids field_oscal-metadata_party-uuid[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-metadata:hash object

A representation of a cryptographic digest generated over a resource using a specified hash algorithm.

algorithm required

Method by which a hash is derived

All of: StringDatatype string, enum enum
value string required
pattern=^\S(.*\S)?$
oscal-ar-oscal-metadata:remarks string

Additional commentary on the containing object.

oscal-ar-oscal-metadata:published string
oscal-ar-oscal-metadata:last-modified string
oscal-ar-oscal-metadata:version string
oscal-ar-oscal-metadata:oscal-version string
oscal-ar-oscal-metadata:email-address
oscal-ar-oscal-metadata:telephone-number object

Contact number by telephone.

number string required
pattern=^\S(.*\S)?$
type

Indicates the type of phone number.

All of: StringDatatype string, enum enum
oscal-ar-oscal-metadata:address object

A postal address for the location.

type

Indicates the type of address.

All of: TokenDatatype string, enum enum
addr-lines field_oscal-metadata_addr-line[]
minItems=1
city string
pattern=^\S(.*\S)?$
state string
pattern=^\S(.*\S)?$
postal-code string
pattern=^\S(.*\S)?$
country string
pattern=^\S(.*\S)?$
oscal-ar-oscal-metadata:addr-line string
oscal-ar-oscal-metadata:document-id object

A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.

identifier string required
pattern=^\S(.*\S)?$
scheme

Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.

All of: URIDatatype string, enum enum
oscal-ar-oscal-assessment-common:import-ssp object

Used by the assessment plan and POA&M to import information about the system.

href string required
format=uri-reference
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:local-objective object

A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.

control-id string required
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
parts assembly_oscal-catalog-common_part[] required
minItems=1
description string

A human-readable description of this control objective.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:assessment-method object

A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
part assembly_oscal-assessment-common_assessment-part required
description string

A human-readable description of this assessment method.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:activity object

Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
description string required

A human-readable description of this included activity.

title string

The title for this included activity.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
steps object[]
minItems=1
related-controls assembly_oscal-assessment-common_reviewed-controls
responsible-roles assembly_oscal-metadata_responsible-role[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:task object

Represents a scheduled event or milestone, which may be associated with a series of assessment actions.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type required

The type of task.

All of: TokenDatatype string, enum enum
title string required

The title for this task.

description string

A human-readable description of this task.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
timing object

The timing under which the task is intended to occur.

3 nested properties
on-date object

The task is intended to occur on the specified date.

1 nested properties
date string required
format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]*[1-9])?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
within-date-range object

The task is intended to occur within the specified date range.

2 nested properties
start string required
format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]*[1-9])?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
end string required
format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]*[1-9])?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
at-frequency object

The task is intended to occur at the specified frequency.

2 nested properties
period required
All of: IntegerDatatype integer, number number
unit required

The unit of time for the period.

All of: StringDatatype string, enum enum
dependencies object[]
minItems=1
tasks assembly_oscal-assessment-common_task[]
minItems=1
associated-activities object[]
minItems=1
subjects assembly_oscal-assessment-common_assessment-subject[]
minItems=1
responsible-roles assembly_oscal-metadata_responsible-role[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:reviewed-controls object

Identifies the controls being assessed and their control objectives.

control-selections object[] required
minItems=1
description string

A human-readable description of control objectives.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
control-objective-selections object[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:select-control-by-id object

Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

control-id string required
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
statement-ids TokenDatatype[]
minItems=1
oscal-ar-oscal-assessment-common:select-objective-by-id object

Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

objective-id string required
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
oscal-ar-oscal-assessment-common:assessment-subject-placeholder object

Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
sources object[] required
minItems=1
description string

A human-readable description of intent of this assessment subject placeholder.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:assessment-subject object

Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

type required

Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

All of: TokenDatatype string, enum enum
description string

A human-readable description of the collection of subjects being included in this assessment.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
include-all assembly_oscal-catalog-common_include-all
include-subjects assembly_oscal-assessment-common_select-subject-by-id[]
minItems=1
exclude-subjects assembly_oscal-assessment-common_select-subject-by-id[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:select-subject-by-id object

Identifies a set of assessment subjects to include/exclude by UUID.

subject-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type required

Used to indicate the type of object pointed to by the uuid-ref within a subject.

All of: TokenDatatype string, enum enum
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:subject-reference object

A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.

subject-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type required

Used to indicate the type of object pointed to by the uuid-ref within a subject.

All of: TokenDatatype string, enum enum
title string

The title or name for the referenced subject.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:assessment-assets object

Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.

assessment-platforms object[] required
minItems=1
components assembly_oscal-implementation-common_system-component[]
minItems=1
oscal-ar-oscal-assessment-common:finding-target object

Captures an assessor's conclusions regarding the degree to which an objective is satisfied.

type required

Identifies the type of the target.

All of: StringDatatype string, enum enum
target-id string required
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
status object required

A determination of if the objective is satisfied or not within a given system.

3 nested properties
state required

An indication as to whether the objective is satisfied or not.

All of: TokenDatatype string, enum enum
reason

The reason the objective was given it's status.

All of: TokenDatatype string, enum enum
remarks field_oscal-metadata_remarks
title string

The title for this objective status.

description string

A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
implementation-status assembly_oscal-implementation-common_implementation-status
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:observation object

Describes an individual observation.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
description string required

A human-readable description of this assessment observation.

methods array required
minItems=1
collected string required
format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]*[1-9])?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
title string

The title for this observation.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
types array
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
subjects assembly_oscal-assessment-common_subject-reference[]
minItems=1
relevant-evidence object[]
minItems=1
expires string
format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]*[1-9])?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:origin object

Identifies the source of the finding, such as a tool, interviewed person, or activity.

actors assembly_oscal-assessment-common_origin-actor[] required
minItems=1
related-tasks assembly_oscal-assessment-common_related-task[]
minItems=1
oscal-ar-oscal-assessment-common:origin-actor object

The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

type required

The kind of actor.

All of: TokenDatatype string, enum enum
actor-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
role-id string
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
oscal-ar-oscal-assessment-common:related-task object

Identifies an individual task for which the containing object is a consequence of.

task-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
responsible-parties assembly_oscal-metadata_responsible-party[]
minItems=1
subjects assembly_oscal-assessment-common_assessment-subject[]
minItems=1
identified-subject object

Used to detail assessment subjects that were identfied by this task.

2 nested properties
subject-placeholder-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
subjects assembly_oscal-assessment-common_assessment-subject[] required
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:threat-id object

A pointer, by ID, to an externally-defined threat.

system required

Specifies the source of the threat information.

All of: URIDatatype string, enum enum
id string required
format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$
href string
format=uri-reference
oscal-ar-oscal-assessment-common:risk object

An identified risk.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string required

The title for this risk.

description string required

A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.

statement string required

An summary of impact for how the risk affects the system.

status field_oscal-assessment-common_risk-status required
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
threat-ids field_oscal-assessment-common_threat-id[]
minItems=1
characterizations assembly_oscal-assessment-common_characterization[]
minItems=1
mitigating-factors object[]
minItems=1
deadline string
format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]*[1-9])?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
remediations assembly_oscal-assessment-common_response[]
minItems=1
risk-log object

A log of all risk-related tasks taken.

1 nested properties
entries object[] required
minItems=1
related-observations object[]
minItems=1
oscal-ar-oscal-assessment-common:logged-by object

Used to indicate who created a log entry in what role.

party-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
role-id string
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
oscal-ar-oscal-assessment-common:risk-status

Describes the status of the associated risk.

oscal-ar-oscal-assessment-common:characterization object

A collection of descriptive data about the containing object from a specific origin.

origin assembly_oscal-assessment-common_origin required
facets object[] required
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
oscal-ar-oscal-assessment-common:response object

Describes either recommended or an actual plan for addressing the risk.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
lifecycle required

Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.

All of: TokenDatatype string, enum enum
title string required

The title for this response activity.

description string required

A human-readable description of this response plan.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
required-assets object[]
minItems=1
tasks assembly_oscal-assessment-common_task[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-assessment-common:assessment-part object

A partition of an assessment plan or results or a child of another part.

name required

A textual label that uniquely identifies the part's semantic type.

All of: TokenDatatype string, enum enum
uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
ns string
format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$
class string
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
title string

A name given to the part, which may be used by a tool for display and navigation.

props assembly_oscal-metadata_property[]
minItems=1
prose string

Permits multiple paragraphs, lists, tables etc.

parts assembly_oscal-assessment-common_assessment-part[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
oscal-ar-oscal-catalog-common:part object

A partition of a control's definition or a child of another part.

name string required
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
id string
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
ns string
format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$
class string
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
title string

A name given to the part, which may be used by a tool for display and navigation.

props assembly_oscal-metadata_property[]
minItems=1
prose string

Permits multiple paragraphs, lists, tables etc.

parts assembly_oscal-catalog-common_part[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
oscal-ar-oscal-catalog-common:parameter object

Parameters provide a mechanism for the dynamic assignment of value(s) in a control.

id string required
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
class string
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
depends-on string
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
label string

A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.

usage string

Describes the purpose and use of a parameter

constraints assembly_oscal-catalog-common_parameter-constraint[]
minItems=1
guidelines assembly_oscal-catalog-common_parameter-guideline[]
minItems=1
values field_oscal-catalog-common_parameter-value[]
minItems=1
select assembly_oscal-catalog-common_parameter-selection
remarks field_oscal-metadata_remarks
oscal-ar-oscal-catalog-common:parameter-constraint object

A formal or informal expression of a constraint or test

description string

A textual summary of the constraint to be applied.

tests object[]
minItems=1
oscal-ar-oscal-catalog-common:parameter-guideline object

A prose statement that provides a recommendation for the use of a parameter.

prose string required

Prose permits multiple paragraphs, lists, tables etc.

oscal-ar-oscal-catalog-common:parameter-value string
oscal-ar-oscal-catalog-common:parameter-selection object

Presenting a choice among alternatives

how-many

Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.

All of: TokenDatatype string, enum enum
choice string[]
minItems=1
oscal-ar-oscal-catalog-common:include-all object

Include all controls from the imported catalog or profile resources.

oscal-ar-oscal-implementation-common:system-component object

A defined component that can be part of an implemented system.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type required

A category describing the purpose of the component.

All of: StringDatatype string, enum enum
title string required

A human readable name for the system component.

description string required

A description of the component, including information about its function.

status object required

Describes the operational status of the system component.

2 nested properties
state required

The operational status.

All of: TokenDatatype string, enum enum
remarks field_oscal-metadata_remarks
purpose string

A summary of the technological or business purpose of the component.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
responsible-roles assembly_oscal-metadata_responsible-role[]
minItems=1
protocols assembly_oscal-implementation-common_protocol[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-implementation-common:protocol object

Information about the protocol used to provide a service.

name string required
pattern=^\S(.*\S)?$
uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string

A human readable name for the protocol (e.g., Transport Layer Security).

port-ranges assembly_oscal-implementation-common_port-range[]
minItems=1
oscal-ar-oscal-implementation-common:port-range object

Where applicable this is the IPv4 port range on which the service operates.

start
All of: IntegerDatatype integer, number number
end
All of: IntegerDatatype integer, number number
transport

Indicates the transport type.

All of: TokenDatatype string, enum enum
oscal-ar-oscal-implementation-common:implementation-status object

Indicates the degree to which the a given control is implemented.

state required

Identifies the implementation status of the control or control objective.

All of: TokenDatatype string, enum enum
remarks field_oscal-metadata_remarks
oscal-ar-oscal-implementation-common:system-user object

A type of user that interacts with the system based on an associated role.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string

A name given to the user, which may be used by a tool for display and navigation.

short-name string
pattern=^\S(.*\S)?$
description string

A summary of the user's purpose within the system.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
role-ids field_oscal-metadata_role-id[]
minItems=1
authorized-privileges assembly_oscal-implementation-common_authorized-privilege[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-implementation-common:authorized-privilege object

Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.

title string required

A human readable name for the privilege.

functions-performed field_oscal-implementation-common_function-performed[] required
minItems=1
description string

A summary of the privilege's purpose within the system.

oscal-ar-oscal-implementation-common:function-performed string
oscal-ar-oscal-implementation-common:inventory-item object

A single managed inventory item within the system.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
description string required

A summary of the inventory item stating its purpose within the system.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
responsible-parties assembly_oscal-metadata_responsible-party[]
minItems=1
implemented-components object[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-implementation-common:set-parameter object

Identifies the parameter that will be set by the enclosed value.

param-id string required
pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
values StringDatatype[] required
minItems=1
remarks field_oscal-metadata_remarks
oscal-ar-oscal-implementation-common:system-id object

A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.

id string required
pattern=^\S(.*\S)?$
identifier-type

Identifies the identification system from which the provided identifier was assigned.

All of: URIDatatype string, enum enum
Base64Datatype string
DateTimeWithTimezoneDatatype string
EmailAddressDatatype
IntegerDatatype integer
NonNegativeIntegerDatatype
PositiveIntegerDatatype
StringDatatype string
TokenDatatype string
URIDatatype string
URIReferenceDatatype string
UUIDDatatype string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.