assessmentResults.schema.json
Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.
type · thingNIST vocabularystatus · draftv1
{
"AssessmentResults": {
"@type": "AssessmentResults",
"schemaVersion": 1,
"uuid": "String",
"metadata": {
"@type": "Metadata",
"title": "String",
"published": "Datetime",
"last-modified": "Datetime",
"version": "String",
"oscal-version": "String",
"revisions": [
{
"revisions(item)": {
"@type": "Revisions(item)",
"props": [
{
"props(item)": {
"@type": "Props(item)",
"name": "String",
"ns": "URI",
"value": "String",
"class": "String",
"group": "String",
"remarks": "String"
}
}
],
"links": [
{
"links(item)": {
"@type": "Links(item)",
"href": "URI",
"rel": "String",
"media-type": "String",
"resource-fragment": "String",
"text": "String"
}
}
]
}
}
],
"document-ids": [
{
"document-ids(item)": {
"@type": "Document-ids(item)",
"scheme": "URI",
"identifier": "String"
}
}
],
"roles": [
{
"roles(item)": {
"@type": "Roles(item)",
"description": "String",
"id": "String",
"short-name": "String"
}
}
],
"locations": [
{
"locations(item)": {
"@type": "Locations(item)",
"address": {
"@type": "Address",
"type": "String",
"addr-lines": [
{
"addr-lines(item)": "String"
}
],
"city": "String",
"state": "String",
"postal-code": "String",
"country": "String"
},
"email-addresses": [
{
"email-addresses(item)": "String"
}
],
"telephone-numbers": [
{
"telephone-numbers(item)": "TelephoneNumber"
}
],
"urls": [
{
"urls(item)": "URI"
}
]
}
}
],
"parties": [
{
"parties(item)": {
"@type": "Parties(item)",
"external-ids": [
{
"external-ids(item)": {
"@type": "External-ids(item)"
}
}
],
"addresses": [
{
"addresses(item)": {
"@type": "Addresses(item)"
}
}
],
"member-of-organizations": [
{
"member-of-organizations(item)": "String"
}
],
"location-uuids": [
{
"location-uuids(item)": "String"
}
]
}
}
],
"responsible-parties": [
{
"responsible-parties(item)": {
"@type": "Responsible-parties(item)",
"role-id": "String",
"party-uuids": [
{
"party-uuids(item)": "String"
}
]
}
}
],
"actions": [
{
"actions(item)": {
"@type": "Actions(item)",
"date": "Datetime",
"system": "URI"
}
}
]
},
"import-ap": {
"@type": "Import-ap"
},
"local-definitions": {
"@type": "Local-definitions",
"components": [
{
"components(item)": {
"@type": "Components(item)",
"purpose": "String",
"responsible-roles": [
{
"responsible-roles(item)": {
"@type": "Responsible-roles(item)"
}
}
],
"status": "String",
"protocols": [
{
"protocols(item)": {
"@type": "Protocols(item)",
"port-ranges": [
{
"port-ranges(item)": {
"@type": "Port-ranges(item)",
"start": "Integer",
"end": "Integer",
"transport": "String"
}
}
]
}
}
],
"control-implementations": [
{
"control-implementations(item)": {
"@type": "Control-implementations(item)",
"source": "URI",
"set-parameters": [
{
"set-parameters(item)": {
"@type": "Set-parameters(item)",
"param-id": "String",
"depends-on": "String",
"label": "String",
"usage": "String",
"constraints": [
{
"constraints(item)": {
"@type": "Constraints(item)",
"tests": [
{
"tests(item)": {
"@type": "Tests(item)",
"expression": "String"
}
}
]
}
}
],
"guidelines": [
{
"guidelines(item)": {
"@type": "Guidelines(item)",
"prose": "String"
}
}
],
"values": [
{
"values(item)": "String"
}
],
"select": {
"@type": "Select",
"how-many": "String",
"choice": [
{
"choice(item)": "String"
}
]
}
}
}
],
"implemented-requirements": [
{
"implemented-requirements(item)": {
"@type": "Implemented-requirements(item)",
"control-id": "String",
"statements": [
{
"statements(item)": {
"@type": "Statements(item)",
"statement-id": "String",
"by-components": [
{
"by-components(item)": {
"@type": "By-components(item)",
"component-uuid": "String",
"implementation-status": {
"@type": "Implementation-status"
},
"export": {
"@type": "Export",
"provided": [
{
"provided(item)": {
"@type": "Provided(item)"
}
}
],
"responsibilities": [
{
"responsibilities(item)": {
"@type": "Responsibilities(item)",
"provided-uuid": "String"
}
}
]
},
"inherited": [
{
"inherited(item)": {
"@type": "Inherited(item)"
}
}
],
"satisfied": [
{
"satisfied(item)": {
"@type": "Satisfied(item)",
"responsibility-uuid": "String"
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
],
"inventory-items": [
{
"inventory-items(item)": {
"@type": "Inventory-items(item)",
"implemented-components": [
{
"implemented-components(item)": {
"@type": "Implemented-components(item)"
}
}
]
}
}
],
"users": [
{
"users(item)": {
"@type": "Users(item)",
"role-ids": [
{
"role-ids(item)": "String"
}
],
"authorized-privileges": [
{
"authorized-privileges(item)": {
"@type": "Authorized-privileges(item)",
"functions-performed": [
{
"functions-performed(item)": "String"
}
]
}
}
]
}
}
],
"assessment-assets": {
"@type": "Assessment-assets",
"assessment-platforms": [
{
"assessment-platforms(item)": {
"@type": "Assessment-platforms(item)",
"uses-components": [
{
"uses-components(item)": {
"@type": "Uses-components(item)"
}
}
]
}
}
]
},
"objectives-and-methods": [
{
"objectives-and-methods(item)": {
"@type": "Objectives-and-methods(item)",
"parts": [
{
"parts(item)": {
"@type": "Parts(item)"
}
}
]
}
}
],
"activities": [
{
"activities(item)": {
"@type": "Activities(item)",
"steps": [
{
"steps(item)": {
"@type": "Steps(item)",
"reviewed-controls": {
"@type": "Reviewed-controls",
"control-selections": [
{
"control-selections(item)": {
"@type": "Control-selections(item)",
"include-all": "String",
"exclude-controls": [
{
"exclude-controls(item)": {
"@type": "Exclude-controls(item)",
"with-child-controls": "String",
"with-ids": [
{
"with-ids(item)": "String"
}
],
"statement-ids": [
{
"statement-ids(item)": "String"
}
],
"matching": [
{
"matching(item)": {
"@type": "Matching(item)",
"pattern": "String"
}
}
]
}
}
],
"include-controls": [
{
"include-controls(item)": {
"@type": "Include-controls(item)"
}
}
]
}
}
],
"control-objective-selections": [
{
"control-objective-selections(item)": {
"@type": "Control-objective-selections(item)",
"exclude-objectives": [
{
"exclude-objectives(item)": {
"@type": "Exclude-objectives(item)",
"objective-id": "String"
}
}
],
"include-objectives": [
{
"include-objectives(item)": {
"@type": "Include-objectives(item)"
}
}
]
}
}
]
}
}
}
],
"related-controls": {
"@type": "Related-controls"
}
}
}
]
},
"results": [
{
"results(item)": {
"@type": "Results(item)",
"attestations": [
{
"attestations(item)": {
"@type": "Attestations(item)"
}
}
],
"assessment-log": {
"@type": "Assessment-log",
"entries": [
{
"entries(item)": {
"@type": "Entries(item)",
"logged-by": [
{
"logged-by(item)": {
"@type": "Logged-by(item)",
"party-uuid": "String"
}
}
],
"related-tasks": [
{
"related-tasks(item)": {
"@type": "Related-tasks(item)",
"task-uuid": "String",
"subjects": [
{
"subjects(item)": {
"@type": "Subjects(item)",
"subject-uuid": "String",
"exclude-subjects": [
{
"exclude-subjects(item)": {
"@type": "Exclude-subjects(item)"
}
}
],
"include-subjects": [
{
"include-subjects(item)": {
"@type": "Include-subjects(item)"
}
}
]
}
}
],
"identified-subject": {
"@type": "Identified-subject",
"subject-placeholder-uuid": "String"
}
}
}
],
"status-change": "String",
"related-responses": [
{
"related-responses(item)": {
"@type": "Related-responses(item)",
"response-uuid": "String"
}
}
]
}
}
]
},
"observations": [
{
"observations(item)": {
"@type": "Observations(item)",
"methods": [
{
"methods(item)": "String"
}
],
"types": [
{
"types(item)": "String"
}
],
"origins": [
{
"origins(item)": {
"@type": "Origins(item)",
"actors": [
{
"actors(item)": {
"@type": "Actors(item)",
"actor-uuid": "String"
}
}
]
}
}
],
"relevant-evidence": [
{
"relevant-evidence(item)": {
"@type": "Relevant-evidence(item)"
}
}
],
"collected": "Datetime",
"expires": "Datetime"
}
}
],
"risks": [
{
"risks(item)": {
"@type": "Risks(item)",
"statement": "String",
"threat-ids": [
{
"threat-ids(item)": {
"@type": "Threat-ids(item)"
}
}
],
"characterizations": [
{
"characterizations(item)": {
"@type": "Characterizations(item)",
"origin": {
"@type": "Origin"
},
"facets": [
{
"facets(item)": {
"@type": "Facets(item)"
}
}
]
}
}
],
"mitigating-factors": [
{
"mitigating-factors(item)": {
"@type": "Mitigating-factors(item)",
"implementation-uuid": "String"
}
}
],
"deadline": "Datetime",
"remediations": [
{
"remediations(item)": {
"@type": "Remediations(item)",
"lifecycle": "String",
"required-assets": [
{
"required-assets(item)": {
"@type": "Required-assets(item)"
}
}
],
"tasks": [
{
"tasks(item)": {
"@type": "Tasks(item)",
"timing": {
"@type": "Timing",
"on-date": {
"@type": "On-date"
},
"within-date-range": {
"@type": "Within-date-range"
},
"at-frequency": {
"@type": "At-frequency",
"period": "Integer",
"unit": "String"
}
},
"dependencies": [
{
"dependencies(item)": {
"@type": "Dependencies(item)"
}
}
],
"associated-activities": [
{
"associated-activities(item)": {
"@type": "Associated-activities(item)",
"activity-uuid": "String"
}
}
]
}
}
]
}
}
],
"risk-log": {
"@type": "Risk-log"
},
"related-observations": [
{
"related-observations(item)": {
"@type": "Related-observations(item)",
"observation-uuid": "String"
}
}
]
}
}
],
"findings": [
{
"findings(item)": {
"@type": "Findings(item)",
"target": {
"@type": "Target",
"target-id": "String"
},
"implementation-statement-uuid": "String",
"related-risks": [
{
"related-risks(item)": {
"@type": "Related-risks(item)",
"risk-uuid": "String"
}
}
]
}
}
]
}
}
],
"back-matter": {
"@type": "Back-matter",
"resources": [
{
"resources(item)": {
"@type": "Resources(item)",
"citation": {
"@type": "Citation"
},
"rlinks": [
{
"rlinks(item)": {
"@type": "Rlinks(item)",
"hashes": [
{
"hashes(item)": {
"@type": "Hashes(item)",
"algorithm": "String"
}
}
]
}
}
],
"base64": {
"@type": "Base64",
"filename": "String"
}
}
}
]
}
}
}{
"AssessmentResults": {
"@type": "AssessmentResults",
"schemaVersion": 1,
"description": "Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.",
"uuid": {
"description": "Provides a globally unique means to identify a given catalog instance.",
"type": "String"
},
"metadata": {
"@type": "Metadata",
"description": "Provides information about the containing document, and defines concepts that are shared across the document.",
"title": {
"description": "Document title as published, whitespace-normalized and BibTeX-escaped.",
"type": "String"
},
"published": {
"description": "The date and time the document was last made available.",
"nullable": true,
"type": "Datetime"
},
"last-modified": {
"description": "The date and time the document was last stored for later retrieval.",
"type": "Datetime"
},
"version": {
"description": "Version information for an item.",
"type": "String"
},
"oscal-version": {
"description": "The OSCAL model version the document was authored against and will conform to as valid.",
"type": "String"
},
"revisions": [
{
"revisions(item)": {
"@type": "Revisions(item)",
"description": "An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).",
"props": [
{
"props(item)": {
"@type": "Props(item)",
"description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.",
"name": {
"description": "The name of the item or record.",
"type": "String"
},
"ns": {
"description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.",
"nullable": true,
"type": "URI"
},
"value": {
"description": "Indicates the value of the attribute, characteristic, or quality.",
"type": "String"
},
"class": {
"description": "A textual label that provides a sub-type or characterization of the property's name.",
"nullable": true,
"type": "String"
},
"group": {
"description": "An identifier for relating distinct sets of properties.",
"nullable": true,
"type": "String"
},
"remarks": {
"description": "Additional commentary about the containing object.",
"nullable": true,
"type": "String"
}
}
}
],
"links": [
{
"links(item)": {
"@type": "Links(item)",
"description": "A reference to a local or remote resource, that has a specific relation to the containing object.",
"href": {
"description": "A resolvable URL reference to a resource.",
"type": "URI"
},
"rel": {
"description": "Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.",
"nullable": true,
"type": "String"
},
"media-type": {
"description": "A label that indicates the nature of a resource, as a data serialization or format.",
"nullable": true,
"type": "String"
},
"resource-fragment": {
"description": "In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.",
"nullable": true,
"type": "String"
},
"text": {
"description": "Generic text of any sort.",
"type": "String"
}
}
}
]
}
}
],
"document-ids": [
{
"document-ids(item)": {
"@type": "Document-ids(item)",
"description": "A document identifier qualified by an identifier scheme.",
"scheme": {
"description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.",
"nullable": true,
"type": "URI"
},
"identifier": {
"description": "A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+",
"type": "String"
}
}
}
],
"roles": [
{
"roles(item)": {
"@type": "Roles(item)",
"description": {
"description": "A summary of the role's purpose and associated responsibilities.",
"nullable": true,
"type": "String"
},
"id": {
"description": "Provenance link to the source corpus document_id.",
"type": "String"
},
"short-name": {
"description": "A short common name, abbreviation, or acronym for the role.",
"nullable": true,
"type": "String"
}
}
}
],
"locations": [
{
"locations(item)": {
"@type": "Locations(item)",
"description": "A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.",
"address": {
"@type": "Address",
"description": "A postal address for the location.",
"type": {
"description": "Indicates the type of address.",
"nullable": true,
"type": "String"
},
"addr-lines": [
{
"addr-lines(item)": {
"description": "A single line of an address.",
"type": "String"
}
}
],
"city": {
"description": "City, town or geographical region for the mailing address.",
"nullable": true,
"type": "String"
},
"state": {
"description": "State, province or analogous geographical region for a mailing address.",
"nullable": true,
"type": "String"
},
"postal-code": {
"description": "Postal or ZIP code for mailing address.",
"nullable": true,
"type": "String"
},
"country": {
"description": "The ISO 3166-1 alpha-2 country code for the mailing address.",
"nullable": true,
"type": "String"
}
},
"email-addresses": [
{
"email-addresses(item)": {
"description": "An email address as defined by RFC 5322 Section 3.4.1.",
"type": "String"
}
}
],
"telephone-numbers": [
{
"telephone-numbers(item)": {
"description": "A telephone service number as defined by ITU-T E.164.",
"type": "TelephoneNumber"
}
}
],
"urls": [
{
"urls(item)": {
"description": "The uniform resource locator (URL) for a web site or other resource associated with the location.",
"type": "URI"
}
}
]
}
}
],
"parties": [
{
"parties(item)": {
"@type": "Parties(item)",
"description": "An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.",
"external-ids": [
{
"external-ids(item)": {
"@type": "External-ids(item)",
"description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID)."
}
}
],
"addresses": [
{
"addresses(item)": {
"@type": "Addresses(item)",
"description": "A postal address for the location."
}
}
],
"member-of-organizations": [
{
"member-of-organizations(item)": {
"description": "A reference to another party by UUID, typically an organization, that this subject is associated with.",
"type": "String"
}
}
],
"location-uuids": [
{
"location-uuids(item)": {
"description": "Reference to a location by UUID.",
"type": "String"
}
}
]
}
}
],
"responsible-parties": [
{
"responsible-parties(item)": {
"@type": "Responsible-parties(item)",
"description": "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.",
"role-id": {
"description": "A reference to a role performed by a party.",
"type": "String"
},
"party-uuids": [
{
"party-uuids(item)": {
"description": "Reference to a party by UUID.",
"type": "String"
}
}
]
}
}
],
"actions": [
{
"actions(item)": {
"@type": "Actions(item)",
"description": "An action applied by a role within a given party to the content.",
"date": {
"description": "The date and time when the action occurred.",
"nullable": true,
"type": "Datetime"
},
"system": {
"description": "Specifies the action type system used.",
"type": "URI"
}
}
}
]
},
"import-ap": {
"@type": "Import-ap",
"description": "Used by assessment-results to import information about the original plan for assessing the system."
},
"local-definitions": {
"@type": "Local-definitions",
"description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.",
"components": [
{
"components(item)": {
"@type": "Components(item)",
"purpose": {
"description": "A summary of the technological or business purpose of the component.",
"nullable": true,
"type": "String"
},
"responsible-roles": [
{
"responsible-roles(item)": {
"@type": "Responsible-roles(item)",
"description": "A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role."
}
}
],
"status": {
"description": "Release status: Released, In Review, or On Hold.",
"type": "String"
},
"protocols": [
{
"protocols(item)": {
"@type": "Protocols(item)",
"description": "Information about the protocol used to provide a service.",
"port-ranges": [
{
"port-ranges(item)": {
"@type": "Port-ranges(item)",
"description": "Where applicable this is the transport layer protocol port range an IPv4-based or IPv6-based service uses.",
"start": {
"description": "Indicates the starting port number in a port range for a transport layer protocol",
"nullable": true,
"type": "Integer"
},
"end": {
"description": "Indicates the ending port number in a port range for a transport layer protocol",
"nullable": true,
"type": "Integer"
},
"transport": {
"description": "Indicates the transport type.",
"nullable": true,
"type": "String"
}
}
}
]
}
}
],
"control-implementations": [
{
"control-implementations(item)": {
"@type": "Control-implementations(item)",
"source": {
"description": "A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition.",
"type": "URI"
},
"set-parameters": [
{
"set-parameters(item)": {
"@type": "Set-parameters(item)",
"description": "A parameter setting, to be propagated to points of insertion.",
"param-id": {
"description": "An identifier for the parameter.",
"nullable": true,
"type": "String"
},
"depends-on": {
"description": "(deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.",
"nullable": true,
"type": "String"
},
"label": {
"description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.",
"nullable": true,
"type": "String"
},
"usage": {
"description": "Describes the purpose and use of a parameter.",
"nullable": true,
"type": "String"
},
"constraints": [
{
"constraints(item)": {
"@type": "Constraints(item)",
"tests": [
{
"tests(item)": {
"@type": "Tests(item)",
"description": "A test expression which is expected to be evaluated by a tool.",
"expression": {
"description": "A formal (executable) expression of a constraint.",
"type": "String"
}
}
}
]
}
}
],
"guidelines": [
{
"guidelines(item)": {
"@type": "Guidelines(item)",
"description": "A prose statement that provides a recommendation for the use of a parameter.",
"prose": {
"description": "Prose permits multiple paragraphs, lists, tables etc.",
"type": "String"
}
}
}
],
"values": [
{
"values(item)": {
"description": "A parameter value or set of values.",
"type": "String"
}
}
],
"select": {
"@type": "Select",
"description": "Presenting a choice among alternatives.",
"how-many": {
"description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.",
"nullable": true,
"type": "String"
},
"choice": [
{
"choice(item)": {
"description": "A value selection among several such options.",
"type": "String"
}
}
]
}
}
}
],
"implemented-requirements": [
{
"implemented-requirements(item)": {
"@type": "Implemented-requirements(item)",
"control-id": {
"description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).",
"type": "String"
},
"statements": [
{
"statements(item)": {
"@type": "Statements(item)",
"statement-id": {
"description": "A human-oriented identifier reference to a control statement.",
"type": "String"
},
"by-components": [
{
"by-components(item)": {
"@type": "By-components(item)",
"component-uuid": {
"description": "A machine-oriented identifier reference to a component.",
"type": "String"
},
"implementation-status": {
"@type": "Implementation-status",
"description": "Indicates the degree to which the a given control is implemented."
},
"export": {
"@type": "Export",
"provided": [
{
"provided(item)": {
"@type": "Provided(item)"
}
}
],
"responsibilities": [
{
"responsibilities(item)": {
"@type": "Responsibilities(item)",
"provided-uuid": {
"description": "A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.",
"nullable": true,
"type": "String"
}
}
}
]
},
"inherited": [
{
"inherited(item)": {
"@type": "Inherited(item)"
}
}
],
"satisfied": [
{
"satisfied(item)": {
"@type": "Satisfied(item)",
"responsibility-uuid": {
"description": "A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.",
"nullable": true,
"type": "String"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
],
"inventory-items": [
{
"inventory-items(item)": {
"@type": "Inventory-items(item)",
"implemented-components": [
{
"implemented-components(item)": {
"@type": "Implemented-components(item)",
"description": "The set of components that are implemented in a given system inventory item."
}
}
]
}
}
],
"users": [
{
"users(item)": {
"@type": "Users(item)",
"role-ids": [
{
"role-ids(item)": {
"description": "Reference to a role by UUID.",
"type": "String"
}
}
],
"authorized-privileges": [
{
"authorized-privileges(item)": {
"@type": "Authorized-privileges(item)",
"functions-performed": [
{
"functions-performed(item)": {
"description": "Describes a function performed for a given authorized privilege by this user class.",
"type": "String"
}
}
]
}
}
]
}
}
],
"assessment-assets": {
"@type": "Assessment-assets",
"description": "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.",
"assessment-platforms": [
{
"assessment-platforms(item)": {
"@type": "Assessment-platforms(item)",
"description": "Used to represent the toolset used to perform aspects of the assessment.",
"uses-components": [
{
"uses-components(item)": {
"@type": "Uses-components(item)",
"description": "The set of components that are used by the assessment platform."
}
}
]
}
}
]
},
"objectives-and-methods": [
{
"objectives-and-methods(item)": {
"@type": "Objectives-and-methods(item)",
"parts": [
{
"parts(item)": {
"@type": "Parts(item)",
"description": "An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part."
}
}
]
}
}
],
"activities": [
{
"activities(item)": {
"@type": "Activities(item)",
"steps": [
{
"steps(item)": {
"@type": "Steps(item)",
"reviewed-controls": {
"@type": "Reviewed-controls",
"control-selections": [
{
"control-selections(item)": {
"@type": "Control-selections(item)",
"include-all": {
"description": "Include all controls from the imported catalog or profile resources.",
"type": "String"
},
"exclude-controls": [
{
"exclude-controls(item)": {
"@type": "Exclude-controls(item)",
"description": "Select a control or controls from an imported control set.",
"with-child-controls": {
"description": "When a control is included, whether its child (dependent) controls are also included.",
"nullable": true,
"type": "String"
},
"with-ids": [
{
"with-ids(item)": {
"description": "Selecting a control by its ID given as a literal.",
"type": "String"
}
}
],
"statement-ids": [
{
"statement-ids(item)": {
"description": "Used to constrain the selection to only specificity identified statements.",
"type": "String"
}
}
],
"matching": [
{
"matching(item)": {
"@type": "Matching(item)",
"description": "Selecting a set of controls by matching their IDs with a wildcard pattern.",
"pattern": {
"description": "A glob expression matching the IDs of one or more controls to be selected.",
"nullable": true,
"type": "String"
}
}
}
]
}
}
],
"include-controls": [
{
"include-controls(item)": {
"@type": "Include-controls(item)",
"description": "Select a control or controls from an imported control set."
}
}
]
}
}
],
"control-objective-selections": [
{
"control-objective-selections(item)": {
"@type": "Control-objective-selections(item)",
"exclude-objectives": [
{
"exclude-objectives(item)": {
"@type": "Exclude-objectives(item)",
"description": "Used to select a control objective for inclusion/exclusion based on the control objective's identifier.",
"objective-id": {
"description": "Points to an assessment objective.",
"type": "String"
}
}
}
],
"include-objectives": [
{
"include-objectives(item)": {
"@type": "Include-objectives(item)",
"description": "Used to select a control objective for inclusion/exclusion based on the control objective's identifier."
}
}
]
}
}
]
}
}
}
],
"related-controls": {
"@type": "Related-controls",
"description": "Identifies the controls being assessed and their control objectives."
}
}
}
]
},
"results": [
{
"results(item)": {
"@type": "Results(item)",
"attestations": [
{
"attestations(item)": {
"@type": "Attestations(item)",
"description": "A set of textual statements, typically written by the assessor."
}
}
],
"assessment-log": {
"@type": "Assessment-log",
"description": "A log of all assessment-related actions taken.",
"entries": [
{
"entries(item)": {
"@type": "Entries(item)",
"logged-by": [
{
"logged-by(item)": {
"@type": "Logged-by(item)",
"description": "Used to indicate who created a log entry in what role.",
"party-uuid": {
"description": "A machine-oriented identifier reference to the party that manages the leveraged system.",
"type": "String"
}
}
}
],
"related-tasks": [
{
"related-tasks(item)": {
"@type": "Related-tasks(item)",
"description": "Identifies an individual task for which the containing object is a consequence of.",
"task-uuid": {
"description": "A machine-oriented identifier reference to a unique task.",
"type": "String"
},
"subjects": [
{
"subjects(item)": {
"@type": "Subjects(item)",
"description": "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.",
"subject-uuid": {
"description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.",
"type": "String"
},
"exclude-subjects": [
{
"exclude-subjects(item)": {
"@type": "Exclude-subjects(item)",
"description": "Identifies a set of assessment subjects to include/exclude by UUID."
}
}
],
"include-subjects": [
{
"include-subjects(item)": {
"@type": "Include-subjects(item)",
"description": "Identifies a set of assessment subjects to include/exclude by UUID."
}
}
]
}
}
],
"identified-subject": {
"@type": "Identified-subject",
"description": "Used to detail assessment subjects that were identified by this task.",
"subject-placeholder-uuid": {
"description": "A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task.",
"type": "String"
}
}
}
}
],
"status-change": {
"description": "Describes the status of the associated risk.",
"nullable": true,
"type": "String"
},
"related-responses": [
{
"related-responses(item)": {
"@type": "Related-responses(item)",
"description": "Identifies an individual risk response that this log entry is for.",
"response-uuid": {
"description": "A machine-oriented identifier reference to a unique risk response.",
"type": "String"
}
}
}
]
}
}
]
},
"observations": [
{
"observations(item)": {
"@type": "Observations(item)",
"methods": [
{
"methods(item)": {
"description": "Identifies how the observation was made.",
"type": "String"
}
}
],
"types": [
{
"types(item)": {
"description": "Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.",
"type": "String"
}
}
],
"origins": [
{
"origins(item)": {
"@type": "Origins(item)",
"description": "Identifies the source of the finding, such as a tool, interviewed person, or activity.",
"actors": [
{
"actors(item)": {
"@type": "Actors(item)",
"description": "The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.",
"actor-uuid": {
"description": "A machine-oriented identifier reference to the tool or person based on the associated type.",
"type": "String"
}
}
}
]
}
}
],
"relevant-evidence": [
{
"relevant-evidence(item)": {
"@type": "Relevant-evidence(item)"
}
}
],
"collected": {
"description": "Date/time stamp identifying when the finding information was collected.",
"type": "Datetime"
},
"expires": {
"description": "Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.",
"nullable": true,
"type": "Datetime"
}
}
}
],
"risks": [
{
"risks(item)": {
"@type": "Risks(item)",
"statement": {
"description": "An summary of impact for how the risk affects the system.",
"type": "String"
},
"threat-ids": [
{
"threat-ids(item)": {
"@type": "Threat-ids(item)",
"description": "A pointer, by ID, to an externally-defined threat."
}
}
],
"characterizations": [
{
"characterizations(item)": {
"@type": "Characterizations(item)",
"description": "A collection of descriptive data about the containing object from a specific origin.",
"origin": {
"@type": "Origin",
"description": "Identifies the source of the finding, such as a tool, interviewed person, or activity."
},
"facets": [
{
"facets(item)": {
"@type": "Facets(item)",
"description": "An individual characteristic that is part of a larger set produced by the same actor."
}
}
]
}
}
],
"mitigating-factors": [
{
"mitigating-factors(item)": {
"@type": "Mitigating-factors(item)",
"implementation-uuid": {
"description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.",
"nullable": true,
"type": "String"
}
}
}
],
"deadline": {
"description": "The date/time by which the risk must be resolved.",
"nullable": true,
"type": "Datetime"
},
"remediations": [
{
"remediations(item)": {
"@type": "Remediations(item)",
"lifecycle": {
"description": "Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.",
"type": "String"
},
"required-assets": [
{
"required-assets(item)": {
"@type": "Required-assets(item)"
}
}
],
"tasks": [
{
"tasks(item)": {
"@type": "Tasks(item)",
"timing": {
"@type": "Timing",
"description": "The timing under which the task is intended to occur.",
"on-date": {
"@type": "On-date",
"description": "The task is intended to occur on the specified date."
},
"within-date-range": {
"@type": "Within-date-range",
"description": "The task is intended to occur within the specified date range."
},
"at-frequency": {
"@type": "At-frequency",
"description": "The task is intended to occur at the specified frequency.",
"period": {
"description": "The task must occur after the specified period has elapsed.",
"type": "Integer"
},
"unit": {
"description": "The unit of time for the period.",
"type": "String"
}
}
},
"dependencies": [
{
"dependencies(item)": {
"@type": "Dependencies(item)",
"description": "Used to indicate that a task is dependent on another task."
}
}
],
"associated-activities": [
{
"associated-activities(item)": {
"@type": "Associated-activities(item)",
"description": "Identifies an individual activity to be performed as part of a task.",
"activity-uuid": {
"description": "A machine-oriented identifier reference to an activity defined in the list of activities.",
"type": "String"
}
}
}
]
}
}
]
}
}
],
"risk-log": {
"@type": "Risk-log",
"description": "A log of all risk-related tasks taken."
},
"related-observations": [
{
"related-observations(item)": {
"@type": "Related-observations(item)",
"description": "Relates the identified element to a set of referenced observations that were used to support its determination.",
"observation-uuid": {
"description": "A machine-oriented identifier reference to an observation defined in the list of observations.",
"type": "String"
}
}
}
]
}
}
],
"findings": [
{
"findings(item)": {
"@type": "Findings(item)",
"target": {
"@type": "Target",
"target-id": {
"description": "A machine-oriented identifier reference for a specific target qualified by the type.",
"type": "String"
}
},
"implementation-statement-uuid": {
"description": "A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related.",
"nullable": true,
"type": "String"
},
"related-risks": [
{
"related-risks(item)": {
"@type": "Related-risks(item)",
"description": "Relates the finding to a set of referenced risks that were used to determine the finding.",
"risk-uuid": {
"description": "A machine-oriented identifier reference to a risk defined in the list of risks.",
"type": "String"
}
}
}
]
}
}
]
}
}
],
"back-matter": {
"@type": "Back-matter",
"description": "A collection of resources that may be referenced from within the OSCAL document instance.",
"resources": [
{
"resources(item)": {
"@type": "Resources(item)",
"citation": {
"@type": "Citation",
"description": "An optional citation consisting of end note text using structured markup."
},
"rlinks": [
{
"rlinks(item)": {
"@type": "Rlinks(item)",
"description": "A URL-based pointer to an external resource with an optional hash for verification and change detection.",
"hashes": [
{
"hashes(item)": {
"@type": "Hashes(item)",
"description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.",
"algorithm": {
"description": "The digest method by which a hash is derived.",
"type": "String"
}
}
}
]
}
}
],
"base64": {
"@type": "Base64",
"description": "A resource encoded using the Base64 alphabet defined by RFC 2045.",
"filename": {
"description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.",
"nullable": true,
"type": "String"
}
}
}
}
]
}
}
}