OSCAL Plan of Action and Milestones (POA&M)

1.0.0

Schema URL

https://catalog.lintel.tools/schemas/schemastore/oscal-plan-of-action-and-milestones-poa-m/versions/1.0.0.json
← Back to OSCAL Plan of Action and Milestones (POA&M)
Type: object

Properties

plan-of-action-and-milestones assembly_oscal-poam_plan-of-action-and-milestones required

Definitions

oscal-poam-oscal-poam:plan-of-action-and-milestones object

A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.

uuid string required

Uniquely identifies this POA&M. This UUID must be changed each time the content of the POA&M changes.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
metadata assembly_oscal-metadata_metadata required
poam-items assembly_oscal-poam_poam-item[] required
minItems=1
import-ssp assembly_oscal-assessment-common_import-ssp
system-id field_oscal-implementation-common_system-id
local-definitions assembly_oscal-poam_local-definitions
observations assembly_oscal-assessment-common_observation[]
minItems=1
risks assembly_oscal-assessment-common_risk[]
minItems=1
back-matter assembly_oscal-metadata_back-matter
oscal-poam-oscal-poam:local-definitions object

Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.

components assembly_oscal-implementation-common_system-component[]
minItems=1
inventory-items assembly_oscal-implementation-common_inventory-item[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-poam:poam-item object

Describes an individual POA&M item.

title string required

The title or name for this POA&M item .

description string required

A human-readable description of POA&M item.

uuid string

Uniquely identifies the POA&M entry. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given POA&M item across revisions of the document.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
origins object[]
minItems=1
related-observations object[]
minItems=1
related-risks object[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:metadata object

Provides information about the publication and availability of the containing document.

title string required

A name given to the document, which may be used by a tool for display and navigation.

last-modified field_oscal-metadata_last-modified required
version field_oscal-metadata_version required
oscal-version field_oscal-metadata_oscal-version required
published field_oscal-metadata_published
revisions assembly_oscal-metadata_revision[]
minItems=1
document-ids field_oscal-metadata_document-id[]
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
roles assembly_oscal-metadata_role[]
minItems=1
locations assembly_oscal-metadata_location[]
minItems=1
parties assembly_oscal-metadata_party[]
minItems=1
responsible-parties assembly_oscal-metadata_responsible-party[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:revision object

An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).

title string

A name given to the document revision, which may be used by a tool for display and navigation.

published field_oscal-metadata_published
last-modified field_oscal-metadata_last-modified
version field_oscal-metadata_version
oscal-version field_oscal-metadata_oscal-version
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:location object

A location, with associated metadata that can be referenced.

uuid string required

A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
address assembly_oscal-metadata_address required
title string

A name given to the location, which may be used by a tool for display and navigation.

email-addresses field_oscal-metadata_email-address[]
minItems=1
telephone-numbers field_oscal-metadata_telephone-number[]
minItems=1
urls string[]
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:location-uuid string

References a location defined in metadata.

oscal-poam-oscal-metadata:party object

A responsible entity which is either a person or an organization.

uuid string required

A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given party across revisions of the document.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type string required

A category describing the kind of party the object describes.

Values: "person" "organization"
pattern=^\S(.*\S)?$
name string

The full name of the party. This is typically the legal name associated with the party.

pattern=^\S(.*\S)?$
short-name string

A short common name, abbreviation, or acronym for the party.

pattern=^\S(.*\S)?$
external-ids object[]
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
email-addresses field_oscal-metadata_email-address[]
minItems=1
telephone-numbers field_oscal-metadata_telephone-number[]
minItems=1
addresses assembly_oscal-metadata_address[]
minItems=1
location-uuids field_oscal-metadata_location-uuid[]
minItems=1
member-of-organizations string[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:party-uuid string

References a party defined in metadata.

oscal-poam-oscal-metadata:role object

Defines a function assumed or expected to be assumed by a party in a specific situation.

id string required

A unique identifier for a specific role instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
title string required

A name given to the role, which may be used by a tool for display and navigation.

short-name string

A short common name, abbreviation, or acronym for the role.

pattern=^\S(.*\S)?$
description string

A summary of the role's purpose and associated responsibilities.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:role-id string

A reference to the roles served by the user.

oscal-poam-oscal-metadata:back-matter object

A collection of resources, which may be included directly or by reference.

resources object[]
minItems=1
oscal-poam-oscal-metadata:property object

An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.

name string required

A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
value string required

Indicates the value of the attribute, characteristic, or quality.

pattern=^\S(.*\S)?$
uuid string

A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
ns string

A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.

format=uri
class string

A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:responsible-party object

A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.

role-id string required

The role that the party is responsible for.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
party-uuids field_oscal-metadata_party-uuid[] required
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:responsible-role object

A reference to one or more roles with responsibility for performing a function relative to the containing object.

role-id string required

The role that is responsible for the business function.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
party-uuids field_oscal-metadata_party-uuid[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-metadata:hash object

A representation of a cryptographic digest generated over a resource using a specified hash algorithm.

algorithm string required

Method by which a hash is derived

pattern=^\S(.*\S)?$
value string required
oscal-poam-oscal-metadata:remarks string

Additional commentary on the containing object.

oscal-poam-oscal-metadata:published string

The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.

oscal-poam-oscal-metadata:last-modified string

The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.

oscal-poam-oscal-metadata:version string

A string used to distinguish the current version of the document from other previous (and future) versions.

oscal-poam-oscal-metadata:oscal-version string

The OSCAL model version the document was authored against.

oscal-poam-oscal-metadata:email-address string

An email address as defined by RFC 5322 Section 3.4.1.

oscal-poam-oscal-metadata:telephone-number object

Contact number by telephone.

number string required
type string

Indicates the type of phone number.

pattern=^\S(.*\S)?$
oscal-poam-oscal-metadata:address object

A postal address for the location.

type string

Indicates the type of address.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
addr-lines field_oscal-metadata_addr-line[]
minItems=1
city string

City, town or geographical region for the mailing address.

pattern=^\S(.*\S)?$
state string

State, province or analogous geographical region for mailing address

pattern=^\S(.*\S)?$
postal-code string

Postal or ZIP code for mailing address

pattern=^\S(.*\S)?$
country string

The ISO 3166-1 alpha-2 country code for the mailing address.

pattern=^\S(.*\S)?$
oscal-poam-oscal-metadata:addr-line string

A single line of an address.

oscal-poam-oscal-metadata:document-id object

A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element.

identifier string required
scheme string

Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.

format=uri
oscal-poam-oscal-implementation-common:system-component object

A defined component that can be part of an implemented system.

uuid string required

The unique identifier for the component.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type string required

A category describing the purpose of the component.

pattern=^\S(.*\S)?$
title string required

A human readable name for the system component.

description string required

A description of the component, including information about its function.

status object required

Describes the operational status of the system component.

2 nested properties
state string required

The operational status.

Values: "under-development" "operational" "disposition" "other"
pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
remarks field_oscal-metadata_remarks
purpose string

A summary of the technological or business purpose of the component.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
responsible-roles assembly_oscal-metadata_responsible-role[]
minItems=1
protocols assembly_oscal-implementation-common_protocol[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-implementation-common:protocol object

Information about the protocol used to provide a service.

name string required

The common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry.

pattern=^\S(.*\S)?$
uuid string

A globally unique identifier that can be used to reference this service protocol entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string

A human readable name for the protocol (e.g., Transport Layer Security).

port-ranges assembly_oscal-implementation-common_port-range[]
minItems=1
oscal-poam-oscal-implementation-common:port-range object

Where applicable this is the IPv4 port range on which the service operates.

start integer

Indicates the starting port number in a port range

min=0multipleOf=1
end integer

Indicates the ending port number in a port range

min=0multipleOf=1
transport string

Indicates the transport type.

Values: "TCP" "UDP"
pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
oscal-poam-oscal-implementation-common:implementation-status object

Indicates the degree to which the a given control is implemented.

state string required

Identifies the implementation status of the control or control objective.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
remarks field_oscal-metadata_remarks
oscal-poam-oscal-implementation-common:system-user object

A type of user that interacts with the system based on an associated role.

uuid string required

The unique identifier for the user class.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string

A name given to the user, which may be used by a tool for display and navigation.

short-name string

A short common name, abbreviation, or acronym for the user.

pattern=^\S(.*\S)?$
description string

A summary of the user's purpose within the system.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
role-ids field_oscal-metadata_role-id[]
minItems=1
authorized-privileges assembly_oscal-implementation-common_authorized-privilege[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-implementation-common:authorized-privilege object

Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.

title string required

A human readable name for the privilege.

functions-performed field_oscal-implementation-common_function-performed[] required
minItems=1
description string

A summary of the privilege's purpose within the system.

oscal-poam-oscal-implementation-common:function-performed string

Describes a function performed for a given authorized privilege by this user class.

oscal-poam-oscal-implementation-common:inventory-item object

A single managed inventory item within the system.

uuid string required

A globally unique identifier that can be used to reference this inventory item entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
description string required

A summary of the inventory item stating its purpose within the system.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
responsible-parties assembly_oscal-metadata_responsible-party[]
minItems=1
implemented-components object[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-implementation-common:set-parameter object

Identifies the parameter that will be set by the enclosed value.

param-id string required

A reference to a parameter within a control, who's catalog has been imported into the current implementation context.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
values string[] required
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-implementation-common:system-id object

A unique identifier for the system described by this system security plan.

id string required
identifier-type string

Identifies the identification system from which the provided identifier was assigned.

format=uri
oscal-poam-oscal-catalog-common:part object

A partition of a control's definition or a child of another part.

name string required

A textual label that uniquely identifies the part's semantic type.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
id string

A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
ns string

A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.

format=uri
class string

A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
title string

A name given to the part, which may be used by a tool for display and navigation.

props assembly_oscal-metadata_property[]
minItems=1
prose string

Permits multiple paragraphs, lists, tables etc.

parts assembly_oscal-catalog-common_part[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
oscal-poam-oscal-catalog-common:parameter object

Parameters provide a mechanism for the dynamic assignment of value(s) in a control.

id string required

A unique identifier for a specific parameter instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same parameter across minor revisions of the document.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
class string

A textual label that provides a characterization of the parameter.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
depends-on string

Another parameter invoking this one

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
label string

A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.

usage string

Describes the purpose and use of a parameter

constraints assembly_oscal-catalog-common_parameter-constraint[]
minItems=1
guidelines assembly_oscal-catalog-common_parameter-guideline[]
minItems=1
values field_oscal-catalog-common_parameter-value[]
minItems=1
select assembly_oscal-catalog-common_parameter-selection
remarks field_oscal-metadata_remarks
oscal-poam-oscal-catalog-common:parameter-constraint object

A formal or informal expression of a constraint or test

description string

A textual summary of the constraint to be applied.

tests object[]
minItems=1
oscal-poam-oscal-catalog-common:parameter-guideline object

A prose statement that provides a recommendation for the use of a parameter.

prose string required

Prose permits multiple paragraphs, lists, tables etc.

oscal-poam-oscal-catalog-common:parameter-value string

A parameter value or set of values.

oscal-poam-oscal-catalog-common:parameter-selection object

Presenting a choice among alternatives

how-many string

Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.

Values: "one" "one-or-more"
pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
choice string[]
minItems=1
oscal-poam-oscal-assessment-common:import-ssp object

Used by the assessment plan and POA&M to import information about the system.

href string required

A resolvable URL reference to the system security plan for the system being assessed.

format=uri-reference
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:local-objective object

A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.

control-id string required

A reference to a control with a corresponding id value.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
parts assembly_oscal-catalog-common_part[] required
minItems=1
description string

A human-readable description of this control objective.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:assessment-method object

A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.

uuid string required

Uniquely identifies this defined assessment method. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given assessment method across revisions of the document.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
part assembly_oscal-assessment-common_assessment-part required
description string

A human-readable description of this assessment method.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:activity object

Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.

uuid string required

Uniquely identifies this assessment activity. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given included activity across revisions of the document.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
description string required

A human-readable description of this included activity.

title string

The title for this included activity.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
steps object[]
minItems=1
related-controls assembly_oscal-assessment-common_reviewed-controls
responsible-roles assembly_oscal-metadata_responsible-role[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:task object

Represents a scheduled event or milestone, which may be associated with a series of assessment actions.

uuid string required

Uniquely identifies this assessment task.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type string required

The type of task.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
title string required

The title for this task.

description string

A human-readable description of this task.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
timing object

The timing under which the task is intended to occur.

3 nested properties
on-date object

The task is intended to occur on the specified date.

1 nested properties
date string required

The task must occur on the specified date.

format=date-timepattern=^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$
within-date-range object

The task is intended to occur within the specified date range.

2 nested properties
start string required

The task must occur on or after the specified date.

format=date-timepattern=^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$
end string required

The task must occur on or before the specified date.

format=date-timepattern=^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$
at-frequency object

The task is intended to occur at the specified frequency.

2 nested properties
period integer required

The task must occur after the specified period has elapsed.

min=1multipleOf=1
unit string required

The unit of time for the period.

Values: "seconds" "minutes" "hours" "days" "months" "years"
pattern=^\S(.*\S)?$
dependencies object[]
minItems=1
tasks assembly_oscal-assessment-common_task[]
minItems=1
associated-activities object[]
minItems=1
subjects assembly_oscal-assessment-common_assessment-subject[]
minItems=1
responsible-roles assembly_oscal-metadata_responsible-role[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:reviewed-controls object

Identifies the controls being assessed and their control objectives.

control-selections object[] required
minItems=1
description string

A human-readable description of control objectives.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
control-objective-selections object[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:select-control-by-id object

Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

control-id string required

A reference to a control with a corresponding id value.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
statement-ids string[]
minItems=1
oscal-poam-oscal-assessment-common:select-objective-by-id object

Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

objective-id string required

Points to an assessment objective.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
oscal-poam-oscal-assessment-common:assessment-subject-placeholder object

Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.

uuid string required

Uniquely identifies a set of assessment subjects that will be identified by a task or an activity that is part of a task.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
sources object[] required
minItems=1
description string

A human-readable description of intent of this assessment subject placeholder.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:assessment-subject object

Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

type string required

Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
description string

A human-readable description of the collection of subjects being included in this assessment.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
include-all object

A key word to indicate all.

include-subjects assembly_oscal-assessment-common_select-subject-by-id[]
minItems=1
exclude-subjects assembly_oscal-assessment-common_select-subject-by-id[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:select-subject-by-id object

Identifies a set of assessment subjects to include/exclude by UUID.

subject-uuid string required

A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type string required

Used to indicate the type of object pointed to by the uuid-ref within a subject.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:subject-reference object

A pointer to a resource based on its universally unique identifier (UUID). Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.

subject-uuid string required

A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
type string required

Used to indicate the type of object pointed to by the uuid-ref within a subject.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
title string

The title or name for the referenced subject.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:assessment-assets object

Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.

assessment-platforms object[] required
minItems=1
components assembly_oscal-implementation-common_system-component[]
minItems=1
oscal-poam-oscal-assessment-common:finding-target object

Captures an assessor's conclusions regarding the degree to which an objective is satisfied.

type string required

Identifies the type of the target.

Values: "statement-id" "objective-id"
pattern=^\S(.*\S)?$
target-id string required

Identifies the specific target qualified by the type.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
status object required

A determination of if the objective is satisfied or not within a given system.

3 nested properties
state string required

An indication as to whether the objective is satisfied or not.

Values: "satisfied" "not-satisfied"
pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
reason string

The reason the objective was given it's status.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
remarks field_oscal-metadata_remarks
title string

The title for this objective status.

description string

A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
implementation-status assembly_oscal-implementation-common_implementation-status
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:observation object

Describes an individual observation.

uuid string required

Uniquely identifies this observation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given observation across revisions.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
description string required

A human-readable description of this assessment observation.

methods string[] required
minItems=1
collected string required

Date/time stamp identifying when the finding information was collected.

format=date-timepattern=^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$
title string

The title for this observation.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
types string[]
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
subjects assembly_oscal-assessment-common_subject-reference[]
minItems=1
relevant-evidence object[]
minItems=1
expires string

Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.

format=date-timepattern=^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:origin object

Identifies the source of the finding, such as a tool, interviewed person, or activity.

actors assembly_oscal-assessment-common_origin-actor[] required
minItems=1
related-tasks assembly_oscal-assessment-common_related-task[]
minItems=1
oscal-poam-oscal-assessment-common:origin-actor object

The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

type string required

The kind of actor.

Values: "tool" "assessment-platform" "party"
pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
actor-uuid string required

A pointer to the tool or person based on the associated type.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
role-id string

For a party, this can optionally be used to specify the role the actor was performing.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
oscal-poam-oscal-assessment-common:related-task object

Identifies an individual task for which the containing object is a consequence of.

task-uuid string required

References a unique task by UUID.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
responsible-parties assembly_oscal-metadata_responsible-party[]
minItems=1
subjects assembly_oscal-assessment-common_assessment-subject[]
minItems=1
identified-subject object

Used to detail assessment subjects that were identfied by this task.

2 nested properties
subject-placeholder-uuid string required

References a unique assessment subject placeholder defined by this task.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
subjects assembly_oscal-assessment-common_assessment-subject[] required
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:threat-id object

A pointer, by ID, to an externally-defined threat.

system string required

Specifies the source of the threat information.

format=uri
id string required
href string

An optional location for the threat data, from which this ID originates.

format=uri-reference
oscal-poam-oscal-assessment-common:risk object

An identified risk.

uuid string required

Uniquely identifies this risk. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given risk across revisions.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
title string required

The title for this risk.

description string required

A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.

statement string required

An summary of impact for how the risk affects the system.

status string required

Describes the status of the associated risk.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
threat-ids field_oscal-assessment-common_threat-id[]
minItems=1
characterizations assembly_oscal-assessment-common_characterization[]
minItems=1
mitigating-factors object[]
minItems=1
deadline string

The date/time by which the risk must be resolved.

format=date-timepattern=^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$
remediations assembly_oscal-assessment-common_response[]
minItems=1
risk-log object

A log of all risk-related tasks taken.

1 nested properties
entries object[] required
minItems=1
related-observations object[]
minItems=1
oscal-poam-oscal-assessment-common:logged-by object

Used to indicate who created a log entry in what role.

party-uuid string required

A pointer to the party who is making the log entry.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
role-id string

A point to the role-id of the role in which the party is making the log entry.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
oscal-poam-oscal-assessment-common:risk-status string

Describes the status of the associated risk.

oscal-poam-oscal-assessment-common:characterization object

A collection of descriptive data about the containing object from a specific origin.

origin assembly_oscal-assessment-common_origin required
facets object[] required
minItems=1
props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
oscal-poam-oscal-assessment-common:response object

Describes either recommended or an actual plan for addressing the risk.

uuid string required

Uniquely identifies this remediation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given remediation across revisions.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
lifecycle string required

Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
title string required

The title for this response activity.

description string required

A human-readable description of this response plan.

props assembly_oscal-metadata_property[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1
origins assembly_oscal-assessment-common_origin[]
minItems=1
required-assets object[]
minItems=1
tasks assembly_oscal-assessment-common_task[]
minItems=1
remarks field_oscal-metadata_remarks
oscal-poam-oscal-assessment-common:assessment-part object

A partition of an assessment plan or results or a child of another part.

name string required

A textual label that uniquely identifies the part's semantic type.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
uuid string

A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
ns string

A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.

format=uri
class string

A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.

pattern=^[_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-\.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$
title string

A name given to the part, which may be used by a tool for display and navigation.

props assembly_oscal-metadata_property[]
minItems=1
prose string

Permits multiple paragraphs, lists, tables etc.

parts assembly_oscal-assessment-common_assessment-part[]
minItems=1
links assembly_oscal-metadata_link[]
minItems=1