-
Notifications
You must be signed in to change notification settings - Fork 174
/
oscal_poam_metaschema.xml
180 lines (176 loc) · 12.2 KB
/
oscal_poam_metaschema.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
<METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema-xslt/support/metaschema/schema/xml/metaschema.xsd">
<schema-name>OSCAL Plan of Action and Milestones (POA&M) Model</schema-name>
<schema-version>1.1.1</schema-version>
<short-name>oscal-poam</short-name>
<namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
<json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
<remarks>
<p>The OSCAL Plan of Action and Milestones (POA&M) format is used to describe the information typically provided by an assessor during the preparation for an assessment.</p>
<p>The root of the OSCAL Plan of Action and Milestones (POA&M) format is <code>plan-action-milestones</code>.
</p>
</remarks>
<!-- IMPORT STATEMENTS -->
<import href="oscal_metadata_metaschema.xml"/>
<import href="oscal_implementation-common_metaschema.xml"/>
<import href="oscal_assessment-common_metaschema.xml"/>
<!-- TOP LEVEL ASSEMBLY -->
<define-assembly name="plan-of-action-and-milestones">
<formal-name>Plan of Action and Milestones (POA&M)</formal-name>
<description>A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.</description>
<root-name>plan-of-action-and-milestones</root-name>
<define-flag name="uuid" required="yes" as-type="uuid">
<formal-name>POA&M Universally Unique Identifier</formal-name>
<!-- Identifier Declaration -->
<description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#instance">instance</a>scope that can be used to reference this POA&M instance in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#poam-identifiers">this OSCAL instance</a>. This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
</define-flag>
<model>
<assembly ref="metadata" min-occurs="1" max-occurs="1"/>
<!-- QUESTION: should this be a choice with system-id? -->
<assembly ref="import-ssp" min-occurs="0" max-occurs="1">
<remarks>
<p>Used by the POA&M to import information about the system.</p>
</remarks>
</assembly>
<field ref="system-id" min-occurs="0" max-occurs="1"/>
<assembly ref="local-definitions" min-occurs="0" max-occurs="1"/>
<!-- CHANGE: move "observation" from poam-item -->
<assembly ref="observation" min-occurs="0" max-occurs="unbounded">
<group-as name="observations" in-json="ARRAY"/>
</assembly>
<!-- CHANGE: move "risk" from poam-item -->
<assembly ref="risk" min-occurs="0" max-occurs="unbounded">
<group-as name="risks" in-json="ARRAY"/>
</assembly>
<assembly ref="finding" min-occurs="0" max-occurs="unbounded">
<group-as name="findings" in-json="ARRAY"/>
</assembly>
<assembly ref="poam-item" min-occurs="1" max-occurs="unbounded">
<!-- CHANGED: removed the top-level "poam-items" -->
<!-- CHANGED: "poam-item-group" to "poam-items" -->
<group-as name="poam-items" in-json="ARRAY"/>
</assembly>
<assembly ref="back-matter" min-occurs="0" max-occurs="1"/>
</model>
<remarks>
<p>Either an OSCAL-based SSP must be imported, or a unique system-id must be specified. Both may be present.</p>
</remarks>
</define-assembly>
<define-assembly name="local-definitions">
<formal-name>Local Definitions</formal-name>
<description>Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.</description>
<model>
<assembly ref="system-component" min-occurs="0" max-occurs="unbounded">
<use-name>component</use-name>
<group-as name="components" in-json="ARRAY"/>
<remarks>
<p>Used to add any components, not defined via the System Security Plan (AR->AP->SSP)</p>
</remarks>
</assembly>
<assembly ref="inventory-item" min-occurs="0" max-occurs="unbounded">
<group-as name="inventory-items" in-json="ARRAY"/>
<remarks>
<p>Used to add any inventory-items, not defined via the System Security Plan (AR->AP->SSP)</p>
</remarks>
</assembly>
<!-- CHANGED: added to specify components and assessment-platforms from the assessment -->
<assembly ref="assessment-assets" min-occurs="0" max-occurs="1">
<remarks>
<p>Specifies components or assessment-platforms used in the assessment.</p>
</remarks>
</assembly>
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
<constraint>
<is-unique id="unique-poam-local-definitions-component" target="component">
<key-field target="@uuid"/>
<remarks>
<p>Since multiple <code>component</code> entries can be provided, each component must have a unique <code>uuid</code>.</p>
</remarks>
</is-unique>
</constraint>
</define-assembly>
<define-assembly name="poam-item">
<formal-name>POA&M Item</formal-name>
<description>Describes an individual POA&M item.</description>
<define-flag name="uuid" as-type="uuid">
<formal-name>POA&M Item Universally Unique Identifier</formal-name>
<!-- Identifier Declaration -->
<description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#instance">instance</a> scope that can be used to reference this POA&M item entry in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#poam-identifiers">this OSCAL instance</a>. This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
</define-flag>
<model>
<define-field name="title" min-occurs="1" max-occurs="1" as-type="markup-line">
<formal-name>POA&M Item Title</formal-name>
<description>The title or name for this POA&M item .</description>
</define-field>
<!-- CHANGE: Added WITH_WRAPPER to description-->
<define-field name="description" min-occurs="1" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
<formal-name>POA&M Item Description</formal-name>
<description>A human-readable description of POA&M item.</description>
</define-field>
<assembly ref="property" max-occurs="unbounded">
<group-as name="props" in-json="ARRAY"/>
</assembly>
<assembly ref="link" max-occurs="unbounded">
<group-as name="links" in-json="ARRAY"/>
</assembly>
<define-assembly name="origin" max-occurs="unbounded">
<formal-name>Origin</formal-name>
<description>Identifies the source of the finding, such as a tool or person.</description>
<group-as name="origins" in-json="ARRAY"/>
<model>
<assembly ref="origin-actor" min-occurs="1" max-occurs="unbounded">
<use-name>actor</use-name>
<group-as name="actors" in-json="ARRAY"/>
</assembly>
</model>
<remarks>
<p>Used to identify the individual and/or tool generated this poam-item.</p>
</remarks>
</define-assembly>
<define-assembly name="related-finding" min-occurs="0" max-occurs="unbounded">
<formal-name>Related Finding</formal-name>
<description>Relates the poam-item to referenced finding(s).</description>
<group-as name="related-findings" in-json="ARRAY"/>
<define-flag name="finding-uuid" as-type="uuid" required="yes">
<formal-name>Finding Universally Unique Identifier Reference</formal-name>
<description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a finding defined in the list of findings.</description>
</define-flag>
</define-assembly>
<!-- TODO: add link; check in the other assessment models -->
<!-- CHANGED: removed "collected" and "expires" (moved to observation) by brianrufgsa -->
<!-- CHANGED: removed "objective-status" per brianrufgsa -->
<!-- CHANGED: (per Brian) removed "implementation-statement-uuid" since this is in the SAR -->
<!-- CHANGED: replaced embedded observation with references -->
<define-assembly name="related-observation" max-occurs="unbounded">
<formal-name>Related Observation</formal-name>
<description>Relates the poam-item to a set of referenced observations that were used to determine the finding.</description>
<group-as name="related-observations" in-json="ARRAY"/>
<define-flag name="observation-uuid" as-type="uuid" required="yes">
<formal-name>Observation Universally Unique Identifier Reference</formal-name>
<!-- Identifier Reference -->
<description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to an observation defined in the list of observations.</description>
</define-flag>
</define-assembly>
<!-- CHANGED: replaced "risk" with new "assciated-risk" -->
<define-assembly name="associated-risk" max-occurs="unbounded">
<formal-name>Associated Risk</formal-name>
<description>Relates the finding to a set of referenced risks that were used to determine the finding.</description>
<group-as name="related-risks" in-json="ARRAY"/>
<define-flag name="risk-uuid" as-type="uuid" required="yes">
<formal-name>Risk Universally Unique Identifier Reference</formal-name>
<!-- Identifier Reference -->
<description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a risk defined in the list of risks.</description>
</define-flag>
</define-assembly>
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
<constraint>
<expect level="WARNING" target="." test="@uuid">
<message>It is a best practice to provide a UUID.</message>
</expect>
</constraint>
</define-assembly>
</METASCHEMA>