-
Notifications
You must be signed in to change notification settings - Fork 176
/
oscal_assessment-results_metaschema.xml
274 lines (262 loc) · 17.7 KB
/
oscal_assessment-results_metaschema.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
<METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd">
<schema-name>OSCAL Assessment Results Model</schema-name>
<schema-version>1.1.1</schema-version>
<short-name>oscal-ar</short-name>
<namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
<json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
<remarks>
<p>The OSCAL assessment results format is used to describe the information typically provided by an assessor following an assessment.</p>
<p>The root of the OSCAL assessment results format is <code>assessment-results</code>.
</p>
</remarks>
<!-- IMPORT STATEMENTS -->
<import href="oscal_metadata_metaschema.xml"/>
<import href="oscal_assessment-common_metaschema.xml"/>
<!-- TOP LEVEL ASSEMBLY -->
<define-assembly name="assessment-results">
<formal-name>Security Assessment Results (SAR)</formal-name>
<description>Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.</description>
<root-name>assessment-results</root-name>
<define-flag name="uuid" required="yes" as-type="uuid">
<formal-name>Assessment Results Universally Unique Identifier</formal-name>
<!-- Identifier Declaration -->
<description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this assessment results instance in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ar-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>assessment result</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
</define-flag>
<model>
<assembly ref="metadata" min-occurs="1" max-occurs="1"/>
<assembly ref="import-ap" min-occurs="1" max-occurs="1">
<remarks>
<p>Used by the SAR to import information about the original plan for assessing the system.</p>
</remarks>
</assembly>
<define-assembly name="local-definitions">
<!-- CHANGE: added "local-definitions" -->
<formal-name>Local Definitions</formal-name>
<description>Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.</description>
<model>
<assembly ref="local-objective" min-occurs="0" max-occurs="unbounded">
<use-name>objectives-and-methods</use-name>
<group-as name="objectives-and-methods" in-json="ARRAY"/>
</assembly>
<!-- CHANGED: implemented new model -->
<assembly ref="activity" min-occurs="0" max-occurs="unbounded">
<use-name>activity</use-name>
<group-as name="activities" in-json="ARRAY"/>
</assembly>
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
</define-assembly>
<assembly ref="result" min-occurs="1" max-occurs="unbounded">
<!-- CHANGED: "results" to "result" -->
<use-name>result</use-name>
<!-- CHANGED: "results_group" to "results" -->
<group-as name="results" in-json="ARRAY"/>
</assembly>
<assembly ref="back-matter" min-occurs="0" max-occurs="1"/>
</model>
</define-assembly>
<!-- ********** RESULTS Assembly ********** -->
<define-assembly name="result">
<formal-name>Assessment Result</formal-name>
<description>Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.</description>
<define-flag name="uuid" required="yes" as-type="uuid">
<formal-name>Results Universally Unique Identifier</formal-name>
<!-- Identifier Declaration -->
<description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this set of results in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ar-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>assessment result</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
</define-flag>
<model>
<define-field name="title" min-occurs="1" max-occurs="1" as-type="markup-line">
<formal-name>Results Title</formal-name>
<description>The title for this set of results.</description>
</define-field>
<!-- CHANGE: Added WITH_WRAPPER to description -->
<define-field name="description" min-occurs="1" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
<formal-name>Results Description</formal-name>
<description>A human-readable description of this set of test results.</description>
</define-field>
<define-field name="start" as-type="dateTime-with-timezone" min-occurs="1" max-occurs="1">
<formal-name>start field</formal-name>
<description>Date/time stamp identifying the start of the evidence collection reflected in these results.</description>
</define-field>
<define-field name="end" as-type="dateTime-with-timezone" max-occurs="1">
<formal-name>end field</formal-name>
<description>Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate.</description>
</define-field>
<assembly ref="property" max-occurs="unbounded">
<group-as name="props" in-json="ARRAY"/>
</assembly>
<assembly ref="link" max-occurs="unbounded">
<group-as name="links" in-json="ARRAY"/>
</assembly>
<define-assembly name="local-definitions">
<!-- CHANGE: added "local-definitions" -->
<formal-name>Local Definitions</formal-name>
<description>Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.</description>
<model>
<assembly ref="system-component" min-occurs="0" max-occurs="unbounded">
<use-name>component</use-name>
<group-as name="components" in-json="ARRAY"/>
<remarks>
<p>Used to add any components, not defined via the System Security Plan (AR->AP->SSP)</p>
</remarks>
</assembly>
<assembly ref="inventory-item" min-occurs="0" max-occurs="unbounded">
<group-as name="inventory-items" in-json="ARRAY"/>
<remarks>
<p>Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)</p>
</remarks>
</assembly>
<assembly ref="system-user" min-occurs="0" max-occurs="unbounded">
<use-name>user</use-name>
<group-as name="users" in-json="ARRAY"/>
<remarks>
<p>Used to add any users, not defined via the System Security Plan (AR->AP->SSP)</p>
</remarks>
</assembly>
<assembly ref="assessment-assets" min-occurs="0" max-occurs="1">
<!-- To augment the assessment plan -->
<remarks>
<p>This needs to be defined in the results if an assessment platform used is different from the one described in the assessment plan. Else the platform(s) defined in the plan may be referenced within the results.</p>
</remarks>
</assembly>
<assembly ref="task" min-occurs="0" max-occurs="unbounded">
<use-name>assessment-task</use-name>
<group-as name="tasks" in-json="ARRAY"/>
</assembly>
</model>
<constraint>
<is-unique id="unique-ar-local-definitions-component" target="component">
<key-field target="@uuid"/>
<remarks>
<p>Since multiple <code>component</code> entries can be provided, each component must have a unique <code>uuid</code>.</p>
</remarks>
</is-unique>
<is-unique id="unique-ar-local-definitions-user" target="user">
<key-field target="@uuid"/>
<remarks>
<p>A given <code>uuid</code> must be assigned only once to a user.</p>
</remarks>
</is-unique>
</constraint>
</define-assembly>
<!-- CHANGED: "objectives" to "reviewed-controls" -->
<assembly ref="reviewed-controls" min-occurs="1" max-occurs="1">
<remarks>
<p>The Assessment Results <code>control-selection</code> ignores any control selection in the Assessment Plan and re-selects controls from the baseline identified by the SSP.</p>
<p>The Assessment Results <code>control-objective-selection</code> ignores any control objective selection in the Assessment Plan and re-selects control objectives from the baseline identified by the SSP.</p>
<p>Any additional control objectives defined in the Assessment Plan <code>local-definitions</code> do not need to be re-defined in the Assessment Results <code>local-definitions</code>; however, if they were explicitly referenced with an Assessment Plan <code>control-objective-selection</code>, they need to be selected again in the Assessment Results <code>control-objective-selection</code>.</p>
</remarks>
</assembly>
<define-assembly name="attestation" max-occurs="unbounded">
<formal-name>Attestation Statements</formal-name>
<description>A set of textual statements, typically written by the assessor.</description>
<group-as name="attestations" in-json="ARRAY"/>
<model>
<assembly ref="responsible-party" max-occurs="unbounded">
<group-as name="responsible-parties" in-json="ARRAY"/>
</assembly>
<assembly ref="assessment-part" min-occurs="1" max-occurs="unbounded">
<!-- TODO: defined allowed parts: authorization-statement -->
<use-name>part</use-name>
<group-as name="parts" in-json="ARRAY"/>
</assembly>
</model>
<constraint>
<is-unique id="unique-ar-attestation-responsible-party" target="responsible-party">
<key-field target="@role-id"/>
<remarks>
<p>Since <code>responsible-party</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
</remarks>
</is-unique>
</constraint>
</define-assembly>
<!-- CHANGED: removed "schedule" and replaced with "assessment-log" -->
<define-assembly name="assessment-log">
<formal-name>Assessment Log</formal-name>
<description>A log of all assessment-related actions taken.</description>
<model>
<define-assembly name="entry" min-occurs="1" max-occurs="unbounded">
<formal-name>Assessment Log Entry</formal-name>
<!-- TODO: improve this description -->
<description>Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.</description>
<group-as name="entries" in-json="ARRAY"/>
<define-flag name="uuid" required="yes" as-type="uuid">
<formal-name>Assessment Log Entry Universally Unique Identifier</formal-name>
<!-- Identifier Declaration -->
<description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference an assessment event in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ar-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>assessment log entry</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
</define-flag>
<model>
<define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line">
<formal-name>Action Title</formal-name>
<description>The title for this event.</description>
</define-field>
<!-- CHANGE: Added WITH_WRAPPER to description -->
<define-field name="description" min-occurs="0" max-occurs="1" as-type="markup-multiline" in-xml="WITH_WRAPPER">
<formal-name>Action Description</formal-name>
<description>A human-readable description of this event.</description>
</define-field>
<define-field name="start" as-type="dateTime-with-timezone" min-occurs="1" max-occurs="1">
<formal-name>Start</formal-name>
<description>Identifies the start date and time of an event.</description>
</define-field>
<define-field name="end" as-type="dateTime-with-timezone" max-occurs="1">
<formal-name>End</formal-name>
<description>Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.</description>
</define-field>
<assembly ref="property" max-occurs="unbounded">
<group-as name="props" in-json="ARRAY"/>
</assembly>
<assembly ref="link" max-occurs="unbounded">
<group-as name="links" in-json="ARRAY"/>
</assembly>
<assembly ref="logged-by" max-occurs="unbounded">
<group-as name="logged-by" in-json="ARRAY"/>
</assembly>
<!-- CHANGED: Added "related-task" -->
<assembly ref="related-task" max-occurs="unbounded">
<group-as name="related-tasks" in-json="ARRAY"/>
</assembly>
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
</define-assembly>
</model>
</define-assembly>
<!-- CHANGE: move "observation" from finding -->
<assembly ref="observation" min-occurs="0" max-occurs="unbounded">
<group-as name="observations" in-json="ARRAY"/>
</assembly>
<!-- CHANGE: move "risk" from finding -->
<assembly ref="risk" max-occurs="unbounded">
<group-as name="risks" in-json="ARRAY"/>
</assembly>
<assembly ref="finding" max-occurs="unbounded">
<group-as name="findings" in-json="ARRAY"/>
</assembly>
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
</define-assembly>
<!-- Moved Finding Assembly to Assessment Common -->
<!-- Assessment Plan Import -->
<define-assembly name="import-ap">
<formal-name>Import Assessment Plan</formal-name>
<description>Used by assessment-results to import information about the original plan for assessing the system.</description>
<define-flag name="href" required="yes" as-type="uri-reference">
<formal-name>Assessment Plan Reference</formal-name>
<description>A resolvable URL reference to the assessment plan governing the assessment activities.</description>
<remarks>
<p>This value may be one of:</p>
<ol>
<li>an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that points to a network resolvable resource,</li>
<li>a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#relative-reference">relative reference</a> pointing to a network resolvable resource whose base URI is the URI of the containing document, or</li>
<li>a bare URI fragment (i.e., `#uuid`) pointing to a <code>back-matter</code> resource in this or an imported document (see <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#linking-to-another-oscal-object">linking to another OSCAL object</a>).</li>
</ol>
</remarks>
</define-flag>
<model>
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
</define-assembly>
</METASCHEMA>