OSCAL Plan of Action and Milestones (POA&M)

NIST Open Security Controls Assessment Language (OSCAL) Plan of Action and Milestones. (https://pages.nist.gov/OSCAL-Reference)

Type object
File match oscal*poam.json
Schema URL https://catalog.lintel.tools/schemas/schemastore/oscal-plan-of-action-and-milestones-poa-m/latest.json
Source https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_poam_schema.json

Versions

1.0.0 1.0.1 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2

Validate with Lintel

npx @lintel/lintel check
Type: object

Properties

plan-of-action-and-milestones assembly_oscal-poam_plan-of-action-and-milestones required
$schema json-schema-directive

Definitions

json-schema-directive string

A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.

oscal-poam-oscal-poam:plan-of-action-and-milestones object

A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
metadata assembly_oscal-metadata_metadata required
poam-items assembly_oscal-poam_poam-item[] required
minItems=1
import-ssp assembly_oscal-assessment-common_import-ssp
system-id field_oscal-implementation-common_system-id
local-definitions assembly_oscal-poam_local-definitions
observations assembly_oscal-assessment-common_observation[]
minItems=1
risks assembly_oscal-assessment-common_risk[]
minItems=1
findings assembly_oscal-assessment-common_finding[]
minItems=1
back-matter assembly_oscal-metadata_back-matter
oscal-poam-oscal-poam:local-definitions object

Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.

components assembly_oscal-implementation-common_system-component[]
minItems=1
inventory-items assembly_oscal-implementation-common_inventory-item[]
minItems=1
assessment-assets assembly_oscal-assessment-common_assessment-assets
remarks field_oscal-metadata_remarks
oscal-poam-oscal-poam:poam-item object

Describes an individual POA&M item.

title string required

The title or name for this POA&M item .

description string required

A human-readable description of POA&M item.

uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
origins object[]
minItems=1
related-findings object[]
minItems=1
related-observations object[]
minItems=1
related-risks object[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:metadata object

Provides information about the containing document, and defines concepts that are shared across the document.

title string required

A name given to the document, which may be used by a tool for display and navigation.

last-modified field_oscal-metadata_last-modified required
version field_oscal-metadata_version required
oscal-version field_oscal-metadata_oscal-version required
published field_oscal-metadata_published
revisions object[]
minItems=1
document-ids field_oscal-metadata_document-id[]
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
roles object[]
minItems=1
locations object[]
minItems=1
parties object[]
minItems=1
responsible-parties assembly_oscal-metadata_responsible-party[]
minItems=1
actions assembly_oscal-metadata_action[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:location-uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

oscal-poam-oscal-metadata:party-uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

oscal-poam-oscal-metadata:role-id string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

oscal-poam-oscal-metadata:back-matter object

A collection of resources that may be referenced from within the OSCAL document instance.

resources object[]
minItems=1
oscal-poam-oscal-metadata:property object

An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.

name string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
value string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
ns string

A universal resource identifier (URI) formatted according to RFC3986.

format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$
class string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
group string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:responsible-party object

A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.

role-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
party-uuids field_oscal-metadata_party-uuid[] required
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:action object

An action applied by a role within a given party to the content.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
system string required

A universal resource identifier (URI) formatted according to RFC3986.

format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$
date string

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
responsible-parties assembly_oscal-metadata_responsible-party[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:responsible-role object

A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.

role-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
party-uuids field_oscal-metadata_party-uuid[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:hash object

A representation of a cryptographic digest generated over a resource using a specified hash algorithm.

algorithm StringDatatype | enum required

The digest method by which a hash is derived.

value string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
oscal-poam-oscal-metadata:remarks string

Additional commentary about the containing object.

oscal-poam-oscal-metadata:published string

A string representing a point in time with a required timezone.

oscal-poam-oscal-metadata:last-modified string

A string representing a point in time with a required timezone.

oscal-poam-oscal-metadata:version string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

oscal-poam-oscal-metadata:oscal-version string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

oscal-poam-oscal-metadata:email-address

An email address string formatted according to RFC 6531.

oscal-poam-oscal-metadata:telephone-number object

A telephone service number as defined by ITU-T E.164.

number string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
type StringDatatype | enum

Indicates the type of phone number.

oscal-poam-oscal-metadata:address object

A postal address for the location.

type TokenDatatype | enum

Indicates the type of address.

addr-lines field_oscal-metadata_addr-line[]
minItems=1
city string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
state string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
postal-code string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
country string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
oscal-poam-oscal-metadata:addr-line string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

oscal-poam-oscal-metadata:document-id object

A document identifier qualified by an identifier scheme.

identifier string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
scheme URIDatatype | enum

Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.

oscal-poam-oscal-implementation-common:system-component object

A defined component that can be part of an implemented system.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type StringDatatype | enum required

A category describing the purpose of the component.

title string required

A human readable name for the system component.

description string required

A description of the component, including information about its function.

status object required

Describes the operational status of the system component.

2 nested properties
state required

The operational status.

All of: TokenDatatype string, enum enum
remarks field_oscal-metadata_remarks
purpose string

A summary of the technological or business purpose of the component.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
responsible-roles assembly_oscal-metadata_responsible-role[]
minItems=1
protocols assembly_oscal-implementation-common_protocol[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-implementation-common:protocol object

Information about the protocol used to provide a service.

name string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string

A human readable name for the protocol (e.g., Transport Layer Security).

port-ranges assembly_oscal-implementation-common_port-range[]
minItems=1
oscal-poam-oscal-implementation-common:port-range object

Where applicable this is the IPv4 port range on which the service operates.

start

An integer value that is equal to or greater than 0.

All of: IntegerDatatype integer, number number
end

An integer value that is equal to or greater than 0.

All of: IntegerDatatype integer, number number
transport

Indicates the transport type.

All of: TokenDatatype string, enum enum
oscal-poam-oscal-implementation-common:implementation-status object

Indicates the degree to which the a given control is implemented.

state TokenDatatype | enum required

Identifies the implementation status of the control or control objective.

remarks field_oscal-metadata_remarks
oscal-poam-oscal-implementation-common:system-user object

A type of user that interacts with the system based on an associated role.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string

A name given to the user, which may be used by a tool for display and navigation.

short-name string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
description string

A summary of the user's purpose within the system.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
role-ids field_oscal-metadata_role-id[]
minItems=1
authorized-privileges assembly_oscal-implementation-common_authorized-privilege[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-implementation-common:authorized-privilege object

Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.

title string required

A human readable name for the privilege.

functions-performed field_oscal-implementation-common_function-performed[] required
minItems=1
description string

A summary of the privilege's purpose within the system.

oscal-poam-oscal-implementation-common:function-performed string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

oscal-poam-oscal-implementation-common:inventory-item object

A single managed inventory item within the system.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
description string required

A summary of the inventory item stating its purpose within the system.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
responsible-parties assembly_oscal-metadata_responsible-party[]
minItems=1
implemented-components object[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-implementation-common:set-parameter object

Identifies the parameter that will be set by the enclosed value.

param-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
values StringDatatype[] required
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-implementation-common:system-id object

A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.

id string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$
identifier-type URIDatatype | enum

Identifies the identification system from which the provided identifier was assigned.

oscal-poam-oscal-control-common:part object

An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.

name string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
id string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
ns string

A universal resource identifier (URI) formatted according to RFC3986.

format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$
class string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
title string

An optional name given to the part, which may be used by a tool for display and navigation.

props assembly_oscal-metadata_property[]
minItems=1
prose string

Permits multiple paragraphs, lists, tables etc.

parts assembly_oscal-control-common_part[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
oscal-poam-oscal-control-common:parameter object

Parameters provide a mechanism for the dynamic assignment of value(s) in a control.

id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
class string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
depends-on string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
label string

A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.

usage string

Describes the purpose and use of a parameter.

constraints assembly_oscal-control-common_parameter-constraint[]
minItems=1
guidelines assembly_oscal-control-common_parameter-guideline[]
minItems=1
values field_oscal-control-common_parameter-value[]
minItems=1
select assembly_oscal-control-common_parameter-selection
remarks field_oscal-metadata_remarks
oscal-poam-oscal-control-common:parameter-constraint object

A formal or informal expression of a constraint or test.

description string

A textual summary of the constraint to be applied.

tests object[]
minItems=1
oscal-poam-oscal-control-common:parameter-guideline object

A prose statement that provides a recommendation for the use of a parameter.

prose string required

Prose permits multiple paragraphs, lists, tables etc.

oscal-poam-oscal-control-common:parameter-value string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

oscal-poam-oscal-control-common:parameter-selection object

Presenting a choice among alternatives.

how-many

Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.

All of: TokenDatatype string, enum enum
choice string[]
minItems=1
oscal-poam-oscal-control-common:include-all object

Include all controls from the imported catalog or profile resources.

oscal-poam-oscal-assessment-common:import-ssp object

Used by the assessment plan and POA&M to import information about the system.

href string required

A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.

format=uri-reference
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:local-objective object

A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.

control-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
parts assembly_oscal-control-common_part[] required
minItems=1
description string

A human-readable description of this control objective.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:assessment-method object

A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
part assembly_oscal-assessment-common_assessment-part required
description string

A human-readable description of this assessment method.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:activity object

Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
description string required

A human-readable description of this included activity.

title string

The title for this included activity.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
steps object[]
minItems=1
related-controls assembly_oscal-assessment-common_reviewed-controls
responsible-roles assembly_oscal-metadata_responsible-role[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:task object

Represents a scheduled event or milestone, which may be associated with a series of assessment actions.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type TokenDatatype | enum required

The type of task.

title string required

The title for this task.

description string

A human-readable description of this task.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
timing object

The timing under which the task is intended to occur.

3 nested properties
on-date object

The task is intended to occur on the specified date.

1 nested properties
date string required

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
within-date-range object

The task is intended to occur within the specified date range.

2 nested properties
start string required

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
end string required

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
at-frequency object

The task is intended to occur at the specified frequency.

2 nested properties
period required

An integer value that is greater than 0.

All of: IntegerDatatype integer, number number
unit required

The unit of time for the period.

All of: StringDatatype string, enum enum
dependencies object[]
minItems=1
tasks assembly_oscal-assessment-common_task[]
minItems=1
associated-activities object[]
minItems=1
subjects assembly_oscal-assessment-common_assessment-subject[]
minItems=1
responsible-roles assembly_oscal-metadata_responsible-role[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:reviewed-controls object

Identifies the controls being assessed and their control objectives.

control-selections object[] required
minItems=1
description string

A human-readable description of control objectives.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
control-objective-selections object[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:select-control-by-id object

Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

control-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
statement-ids TokenDatatype[]
minItems=1
oscal-poam-oscal-assessment-common:select-objective-by-id object

Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

objective-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
oscal-poam-oscal-assessment-common:assessment-subject-placeholder object

Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
sources object[] required
minItems=1
description string

A human-readable description of intent of this assessment subject placeholder.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:assessment-subject object

Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

type TokenDatatype | enum required

Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

description string

A human-readable description of the collection of subjects being included in this assessment.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
include-all assembly_oscal-control-common_include-all
include-subjects assembly_oscal-assessment-common_select-subject-by-id[]
minItems=1
exclude-subjects assembly_oscal-assessment-common_select-subject-by-id[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:select-subject-by-id object

Identifies a set of assessment subjects to include/exclude by UUID.

subject-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type TokenDatatype | enum required

Used to indicate the type of object pointed to by the uuid-ref within a subject.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:subject-reference object

A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.

subject-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type TokenDatatype | enum required

Used to indicate the type of object pointed to by the uuid-ref within a subject.

title string

The title or name for the referenced subject.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:assessment-assets object

Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.

assessment-platforms object[] required
minItems=1
components assembly_oscal-implementation-common_system-component[]
minItems=1
oscal-poam-oscal-assessment-common:finding-target object

Captures an assessor's conclusions regarding the degree to which an objective is satisfied.

type required

Identifies the type of the target.

All of: StringDatatype string, enum enum
target-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
status object required

A determination of if the objective is satisfied or not within a given system.

3 nested properties
state required

An indication as to whether the objective is satisfied or not.

All of: TokenDatatype string, enum enum
reason TokenDatatype | enum

The reason the objective was given it's status.

remarks field_oscal-metadata_remarks
title string

The title for this objective status.

description string

A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
implementation-status assembly_oscal-implementation-common_implementation-status
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:finding object

Describes an individual finding.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string required

The title for this finding.

description string required

A human-readable description of this finding.

target assembly_oscal-assessment-common_finding-target required
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
implementation-statement-uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
related-observations object[]
minItems=1
related-risks object[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:observation object

Describes an individual observation.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
description string required

A human-readable description of this assessment observation.

methods StringDatatype | enum[] required
minItems=1
collected string required

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
title string

The title for this observation.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
types TokenDatatype | enum[]
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
subjects assembly_oscal-assessment-common_subject-reference[]
minItems=1
relevant-evidence object[]
minItems=1
expires string

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:origin object

Identifies the source of the finding, such as a tool, interviewed person, or activity.

actors assembly_oscal-assessment-common_origin-actor[] required
minItems=1
related-tasks assembly_oscal-assessment-common_related-task[]
minItems=1
oscal-poam-oscal-assessment-common:origin-actor object

The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

type required

The kind of actor.

All of: TokenDatatype string, enum enum
actor-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
role-id string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
oscal-poam-oscal-assessment-common:related-task object

Identifies an individual task for which the containing object is a consequence of.

task-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
responsible-parties assembly_oscal-metadata_responsible-party[]
minItems=1
subjects assembly_oscal-assessment-common_assessment-subject[]
minItems=1
identified-subject object

Used to detail assessment subjects that were identfied by this task.

2 nested properties
subject-placeholder-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
subjects assembly_oscal-assessment-common_assessment-subject[] required
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:threat-id object

A pointer, by ID, to an externally-defined threat.

system URIDatatype | enum required

Specifies the source of the threat information.

id string required

A universal resource identifier (URI) formatted according to RFC3986.

format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$
href string

A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.

format=uri-reference
oscal-poam-oscal-assessment-common:risk object

An identified risk.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string required

The title for this risk.

description string required

A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.

statement string required

An summary of impact for how the risk affects the system.

status field_oscal-assessment-common_risk-status required
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
threat-ids field_oscal-assessment-common_threat-id[]
minItems=1
characterizations assembly_oscal-assessment-common_characterization[]
minItems=1
mitigating-factors object[]
minItems=1
deadline string

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$
remediations assembly_oscal-assessment-common_response[]
minItems=1
risk-log object

A log of all risk-related tasks taken.

1 nested properties
entries object[] required
minItems=1
related-observations object[]
minItems=1
oscal-poam-oscal-assessment-common:logged-by object

Used to indicate who created a log entry in what role.

party-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
role-id string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
oscal-poam-oscal-assessment-common:risk-status TokenDatatype | enum

Describes the status of the associated risk.

oscal-poam-oscal-assessment-common:characterization object

A collection of descriptive data about the containing object from a specific origin.

origin assembly_oscal-assessment-common_origin required
facets object[] required
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
oscal-poam-oscal-assessment-common:response object

Describes either recommended or an actual plan for addressing the risk.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
lifecycle TokenDatatype | enum required

Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.

title string required

The title for this response activity.

description string required

A human-readable description of this response plan.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
required-assets object[]
minItems=1
tasks assembly_oscal-assessment-common_task[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:assessment-part object

A partition of an assessment plan or results or a child of another part.

name TokenDatatype | enum required

A textual label that uniquely identifies the part's semantic type.

uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
ns string

A universal resource identifier (URI) formatted according to RFC3986.

format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$
class string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$
title string

A name given to the part, which may be used by a tool for display and navigation.

props assembly_oscal-metadata_property[]
minItems=1
prose string

Permits multiple paragraphs, lists, tables etc.

parts assembly_oscal-assessment-common_assessment-part[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
Base64Datatype string

Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.

DateTimeWithTimezoneDatatype string

A string representing a point in time with a required timezone.

EmailAddressDatatype

An email address string formatted according to RFC 6531.

IntegerDatatype integer

A whole number value.

NonNegativeIntegerDatatype

An integer value that is equal to or greater than 0.

PositiveIntegerDatatype

An integer value that is greater than 0.

StringDatatype string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

TokenDatatype string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

URIDatatype string

A universal resource identifier (URI) formatted according to RFC3986.

URIReferenceDatatype string

A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.

UUIDDatatype string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.