All Classes and Interfaces
Class
Description
Visits a catalog document and its children as designated.
Used to visit a catalog containing groups and controls.
An action applied by a role within a given party to the content.
Identifies an assessment or related process that can be performed.
Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.
A postal address for the location.
Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.
Used to represent the toolset used to perform aspects of the assessment.
The set of components that are used by the assessment platform.
A local definition of a control objective.
A partition of an assessment plan or results or a child of another part.
An assessment plan, such as those provided by a FedRAMP assessor.
Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
Used to define various terms and conditions under which an assessment, described by the plan, can be performed.
Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.
Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
Identifies system elements being assessed, such as components, inventory items, and locations.
Used when the assessment subjects will be determined as part of one or more other assessment activities.
Assessment subjects will be identified while conducting the referenced activity-instance.
A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.
Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.
A collection of resources that may be referenced from within the OSCAL document instance.
A resource associated with content in the containing document instance.
A resource encoded using the Base64 alphabet defined by RFC 2045.
An optional citation consisting of end note text using structured markup.
A URL-based pointer to an external resource with an optional hash for verification and change detection.
Defines how the referenced component implements a set of controls.
Identifies content intended for external consumption, such as with leveraged organizations.
Describes a capability which may be inherited by a leveraging system.
Describes a control implementation responsibility imposed on a leveraging system.
Describes a control implementation inherited by a leveraging system.
Describes how this system satisfies a responsibility imposed by a leveraged system.
A grouping of other components and/or capabilities.
A structured, organized collection of control information.
A group of controls, or of groups of controls.
A collection of descriptive data about the containing object from a specific origin.
An individual characteristic that is part of a larger set produced by the same actor.
Defines how the component or capability supports a set of controls.
A collection of component descriptions, which may optionally be grouped by capability.
Describes how the containing component or capability implements an individual control.
Identifies which statements within a control are addressed.
A structured object representing a requirement or guideline, which when implemented will reduce an aspect of risk related to an information system and its information.
Describes how the system satisfies a set of controls.
A visitor that walks a catalog visiting controls and parameters.
An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.
Walks a
Catalog indexing all nodes that can be referenced.A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.
A defined component that can be part of an implemented system.
A graphic that provides a visual representation the system, or some aspect of it.
A document identifier qualified by an identifier
scheme.Describes an individual finding.
Relates the finding to a set of referenced risks that were used to determine the finding.
Relates the finding to a set of referenced observations that were used to determine the finding.
Captures an assessor's conclusions regarding the degree to which an objective is satisfied.
A determination of if the objective is satisfied or not within a given system.
A representation of a cryptographic digest generated over a resource using a specified hash algorithm.
Used to visit a catalog containing groups and controls.
The expected level of impact resulting from the described information.
Indicates the degree to which the a given control is implemented.
Describes how the system satisfies the requirements of an individual control.
Used by assessment-results to import information about the original plan for assessing the system.
Loads a component definition from another resource.
Used to import the OSCAL profile representing the system's control baseline.
Used by the assessment plan and POA&M to import information about the system.
Include all controls from the imported catalog or profile resources.
The collection of components comprising this capability.
Specifies which controls to use in the containing context.
A single managed inventory item within the system.
The set of components that are implemented in a given system inventory item.
A visitor used to process references.
A reference to a local or remote resource, that has a specific relation to the containing object.
Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.
A local definition of a control objective for this assessment.
Used to indicate who created a log entry in what role.
Selecting a set of controls by matching their IDs with a wildcard pattern.
Provides structuring directives that instruct how controls are organized after profile resolution.
A Combine element defines how to resolve duplicate instances of the same control (e.g., controls with the same ID).
Provides an alternate grouping structure that selected controls will be placed in.
Directs that controls appear without any grouping structure.
Provides information about the containing document, and defines concepts that are shared across the document.
A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.
An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.
An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).
An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).
Defines a function, which might be assigned to a party in a specific situation.
Set parameters or amend controls in resolution.
Specifies changes to be made to an included control when a profile is resolved.
Specifies contents to be added into controls, in resolution.
Specifies objects to be removed from a control based on specific aspects of the object that must all match.
A parameter setting, to be propagated to points of insertion.
A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.
Describes an individual observation.
Links this observation to relevant evidence.
Identifies the source of the finding, such as a tool, interviewed person, or activity.
The actor that produces an observation, a finding, or a risk.
Parameters provide a mechanism for the dynamic assignment of value(s) in a control.
A formal or informal expression of a constraint or test.
A test expression which is expected to be evaluated by a tool.
A prose statement that provides a recommendation for the use of a parameter.
Presenting a choice among alternatives.
A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.
Describes an individual POA&M item.
Relates the finding to a set of referenced risks that were used to determine the finding.
Identifies the source of the finding, such as a tool or person.
Relates the poam-item to referenced finding(s).
Relates the poam-item to a set of referenced observations that were used to determine the finding.
Where applicable this is the IPv4 port range on which the service operates.
Each OSCAL profile is defined by a
profile element.A group of (selected) controls or of groups of controls.
Designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline.
Select a control or controls from an imported control set.
An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.
Information about the protocol used to provide a service.
Identifies an individual task for which the containing object is a consequence of.
Used to detail assessment subjects that were identfied by this task.
Describes either recommended or an actual plan for addressing the risk.
Identifies an asset required to achieve remediation.
A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.
A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.
Used by the assessment results and POA&M.
A log of all assessment-related actions taken.
Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.
A set of textual statements, typically written by the assessor.
Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.
Identifies the controls being assessed and their control objectives.
Identifies the control objectives of the assessment.
Identifies the controls being assessed.
An identified risk.
Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.
Relates the finding to a set of referenced observations that were used to determine the finding.
A log of all risk-related tasks taken.
Identifies an individual risk response that occurred as part of managing an identified risk.
Identifies an individual risk response that this log entry is for.
The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.
Used to select a control for inclusion/exclusion based on one or more control identifiers.
Used to select a control objective for inclusion/exclusion based on the control objective's identifier.
Identifies a set of assessment subjects to include/exclude by UUID.
Identifies the parameter that will be set by the enclosed value.
Identifies which statements within a control are addressed.
Describes the operational status of the system.
A human-oriented identifier reference to a resource.
Contains the characteristics of the system, such as its name, purpose, and security impact level.
A defined component that can be part of an implemented system.
Describes the operational status of the system component.
A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances.
Provides information as to how the system is implemented.
A description of another authorized system from which this system inherits capabilities that satisfy security requirements.
Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.
A set of information type identifiers qualified by the given identification
system used, such as NIST SP 800-60.A system security plan, such as those described in NIST SP 800-18.
A type of user that interacts with the system based on an associated role.
Represents a scheduled event or milestone, which may be associated with a series of assessment actions.
Identifies an individual activity to be performed as part of a task.
Used to indicate that a task is dependent on another task.
The timing under which the task is intended to occur.
The task is intended to occur at the specified frequency.
The task is intended to occur on the specified date.
The task is intended to occur within the specified date range.
A telephone service number as defined by ITU-T E.164.
A pointer, by ID, to an externally-defined threat.