Package gov.nist.secauto.oscal.lib.model

Class Control

java.lang.Object
gov.nist.secauto.oscal.lib.model.control.catalog.AbstractControl
gov.nist.secauto.oscal.lib.model.Control
All Implemented Interfaces:
gov.nist.secauto.metaschema.core.model.IBoundObject, gov.nist.secauto.metaschema.databind.io.IDeserializationHandler, IControl, IControlContainer
@MetaschemaAssembly(formalName="Control", description="A [structured object](https://pages.nist.gov/OSCAL/concepts/terminology/#control) representing a requirement or guideline, which when implemented will reduce an aspect of risk related to an information system and its information.", name="control", moduleClass=OscalCatalogModule.class, remarks="Each security or privacy control within the catalog is defined by a distinct control instance. Controls may be as complex or as simple as a catalog defines them. They may be decomposed or further specified into child `control` objects, for example to represent control enhancements or specific breakouts of control functionality, to be maintained as discrete requirements. Controls may also contain structured parts (using `part`) and they may be grouped together in families or classes with `group`.\n\nControl structures in OSCAL will also exhibit regularities and rules that are not codified in OSCAL but in its applications or domains of application. For example, for catalogs describing controls as defined by NIST SP 800-53, a control must have a part with the name \"statement\", which represents the textual narrative of the control. This \"statement\" part must occur only once, but may have nested parts to allow for multiple paragraphs or sections of text. This organization supports addressability of this data content as long as, and only insofar as, it is consistently implemented across the control set. As given with these model definitions, constraints defined and assigned here can aid in ensuring this regularity; but other such constraints and other useful patterns of use remain to be discovered and described.", valueConstraints=@ValueConstraints(allowedValues={@AllowedValues(level=ERROR,target="prop[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\')]/@name",values={@AllowedValue(value="label",description="A human-readable label for the parent context, which may be rendered in place of the actual identifier for some use cases."),@AllowedValue(value="sort-id",description="An alternative identifier, whose value is easily sortable among other such values in the document."),@AllowedValue(value="alt-identifier",description="An alternate or aliased identifier for the parent context."),@AllowedValue(value="status",description="The status of a `control`. For example, a value of \'withdrawn\' can indicate that the `control` has been withdrawn and should no longer be used.")}),@AllowedValues(level=ERROR,target="prop[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\') and @name=\'status\']/@value",values={@AllowedValue(value="withdrawn",description="The control is no longer used."),@AllowedValue(value="Withdrawn",description="\\*\\*(deprecated)\\*\\*\\* Use \'withdrawn\' instead.")}),@AllowedValues(level=ERROR,target="link/@rel",allowOthers=true,values={@AllowedValue(value="reference",description="The link cites an external resource related to this control."),@AllowedValue(value="related",description="The link identifies another control with bearing to this control."),@AllowedValue(value="required",description="The link identifies another control that must be present if this control is present."),@AllowedValue(value="incorporated-into",description="The link identifies other control content where this control content is now addressed."),@AllowedValue(value="moved-to",description="The containing control definition was moved to the referenced control.")}),@AllowedValues(level=ERROR,target="part[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\')]/@name",values={@AllowedValue(value="overview",description="An introduction to a control or a group of controls."),@AllowedValue(value="statement",description="A set of implementation requirements or recommendations."),@AllowedValue(value="guidance",description="Additional information to consider when selecting, implementing, assessing, and monitoring a control."),@AllowedValue(value="example",description="An example of an implemented requirement or control statement."),@AllowedValue(value="assessment",description="\\*\\*(deprecated)\\*\\* Use \'assessment-method\' instead."),@AllowedValue(value="assessment-method",description="The part describes a method-based assessment over a set of assessment objects.")}),@AllowedValues(level=ERROR,target="part[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\') and @name=\'statement\']//part[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\')]/@name",values=@AllowedValue(value="item",description="An individual item within a control statement."),remarks="Nested statement parts are \"item\" parts."),@AllowedValues(level=ERROR,target=".//part[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\')]/@name",values={@AllowedValue(value="objective",description="\\*\\*(deprecated)\\*\\* Use \'assessment-objective\' instead."),@AllowedValue(value="assessment-objective",description="The part describes a set of assessment objectives.")},remarks="Objectives can be nested."),@AllowedValues(level=ERROR,target="part[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\') and @name=(\'assessment\',\'assessment-method\')]/part[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\')]/@name",values={@AllowedValue(value="objects",description="\\*\\*(deprecated)\\*\\* Use \'assessment-objects\' instead."),@AllowedValue(value="assessment-objects",description="Provides a listing of assessment objects.")},remarks="Assessment objects appear on assessment methods."),@AllowedValues(level=ERROR,target="part[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\') and @name=(\'assessment\',\'assessment-method\')]/prop[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\')]/@name",values=@AllowedValue(value="method",description="\\*\\*(deprecated)\\*\\* Use \'method\' in the \'http://csrc.nist.gov/ns/rmf\' namespace. The assessment method to use. This typically appears on parts with the name \"assessment-method\".")),@AllowedValues(level=ERROR,target="part[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\') and @name=(\'assessment\',\'assessment-method\')]/prop[has-oscal-namespace(\'http://csrc.nist.gov/ns/rmf\')]/@name",values=@AllowedValue(value="method",description="The assessment method to use. This typically appears on parts with the name \"assessment-method\".")),@AllowedValues(level=ERROR,target="part[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\') and @name=(\'assessment\',\'assessment-method\')]/prop[has-oscal-namespace((\'http://csrc.nist.gov/ns/oscal\',\'http://csrc.nist.gov/ns/rmf\')) and @name=\'method\']/@value",values={@AllowedValue(value="INTERVIEW",description="The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence."),@AllowedValue(value="EXAMINE",description="The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities)."),@AllowedValue(value="TEST",description="The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.")})},indexHasKey=@IndexHasKey(level=ERROR,target="link[@rel=(\'related\',\'required\',\'incorporated-into\',\'moved-to\') and starts-with(@href,\'#\')]",indexName="catalog-groups-controls-parts",keyFields=@KeyField(target="@href",pattern="#(.*)")),expect={@Expect(id="catalog-control-require-statement-when-not-withdrawn",level=ERROR,test="prop[@name=\'status\']/@value=(\'withdrawn\',\'Withdrawn\') or part[@name=\'statement\']"),@Expect(level=WARNING,target="part[has-oscal-namespace(\'http://csrc.nist.gov/ns/oscal\') and @name=(\'assessment\',\'assessment-method\')]",test="prop[has-oscal-namespace((\'http://csrc.nist.gov/ns/oscal\',\'http://csrc.nist.gov/ns/rmf\')) and @name=\'method\']")})) public class Control extends AbstractControl implements gov.nist.secauto.metaschema.core.model.IBoundObject
A structured object representing a requirement or guideline, which when implemented will reduce an aspect of risk related to an information system and its information.