From 0921c085ce83c32c46489a6ba6622363b4ff1ff8 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Mon, 20 Jan 2025 23:07:36 -0500 Subject: [PATCH] Final wrap-up of constraint IDs to complete #2088 --- .../oscal_assessment-common_metaschema.xml | 98 ++++++------- ...oscal_implementation-common_metaschema.xml | 102 ++++++------- src/metaschema/oscal_metadata_metaschema.xml | 106 +++++++------- src/metaschema/oscal_poam_metaschema.xml | 4 +- src/metaschema/oscal_profile_metaschema.xml | 16 +-- src/metaschema/oscal_ssp_metaschema.xml | 135 +++++++++--------- 6 files changed, 229 insertions(+), 232 deletions(-) diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index 2cb71ed91c..b2d2543690 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -183,7 +183,7 @@ - + The assessment method to use. This typically appears on parts with the name "assessment". @@ -213,7 +213,7 @@ Task Type The type of task. - + The task represents a planned milestone. The task represents a specific assessment action to be performed. @@ -271,7 +271,7 @@ Time Unit The unit of time for the period. - + The period is specified in seconds. The period is specified in minutes. The period is specified in hours. @@ -528,7 +528,7 @@ Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement. - + The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results. The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results. The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results. @@ -595,7 +595,7 @@ Used to indicate the type of object pointed to by the uuid-ref within a subject. - + Component Inventory Item Location @@ -719,7 +719,7 @@ Finding Target Type Identifies the type of the target. - + A reference to a control statement identifier within a control. A reference to a control objective identifier within a control. @@ -755,7 +755,7 @@ Objective Status State An indication as to whether the objective is satisfied or not. - + The objective has been completely satisfied. The objective has not been completely satisfied, but may be partially satisfied. @@ -765,7 +765,7 @@ Objective Status Reason The reason the objective was given it's status. - + The target system or system component satisfied all the conditions. The target system or system component did not satisfy all the conditions. Some other event took place that is not a pass or a fail. @@ -883,7 +883,7 @@ Identifies how the observation was made. - + An inspection was performed. An interview was performed. A manual or automated test was performed. @@ -897,7 +897,7 @@ Identifies the nature of the observation. More than one may be used to further qualify and enable filtering. - + A difference between the SSP implementation statement, and actual implementation. An observation about the status of a the associated control objective. A mitigating factor was identified. @@ -994,7 +994,7 @@ Actor Type The kind of actor. - + A reference to a tool component defined with the assessment assets. A reference to an assessment-platform defined with the assessment assets. A reference to a party defined within the document metadata. @@ -1274,10 +1274,10 @@ - + The type of remediation tracking entry. Can be multi-valued. - + Contacted vendor to determine the status of a pending fix to a known vulnerability. Information related to the current state of response to this risk. A significant step in the response plan has been achieved. @@ -1308,13 +1308,13 @@ - + The risk has been confirmed to be a false positive. The risk has been accepted. No further action will be taken. The risk has been adjusted. A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority) - + @@ -1336,7 +1336,7 @@ Risk Status Describes the status of the associated risk. - + The risk has been identified. The identified risk is being investigated. (Open risk) Remediation activities are underway, but are not yet complete. (Open risk) @@ -1374,7 +1374,7 @@ Naming System Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash. - + **deprecated** The FedRAMP naming system. This has been deprecated; use http://fedramp.gov/ns/oscal instead. The facet naming system defined by FedRAMP. The facet naming system defined by OSCAL. @@ -1405,29 +1405,29 @@ - + Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value has be changed after some adjustments have been made (e.g., to identify residual risk). - + As first identified. Indicates that residual risk remains after some adjustments have been made. - + General likelihood rating. General impact rating. General risk rating. General severity rating. - + Likelihood as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. Impact as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. Risk as calculated according to FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. - + An identifier managed by the CVE program (see https://cve.mitre.org/). - + Base: Access Vector Base: Access Complexity Base: Authentication @@ -1443,47 +1443,47 @@ Environmental: Integrity Requirement Environmental: Availability Requirement - + Local Network Adjacent Network - + High Medium Low - + Multiple Single None - + None Partial Complete - + Unproven Proof-of-Concept Functional High Not Defined - + Official Fix Temporary Fix Workaround Unavailable Not Defined - + Unconfirmed Uncorroborated Confirmed Not Defined - + None Low (light loss) Low Medium @@ -1491,7 +1491,7 @@ High (catastrophic loss) Not Defined - + None Low Medium @@ -1499,7 +1499,7 @@ Not Defined - + Base: Attack Vector Base: Attack Complexity Base: Privileges Required @@ -1523,79 +1523,79 @@ Environmental: Integrity Requirement Modifier Environmental: Availability Requirement Modifier - + Network Adjacent Local Physical - + High Low - + None Low High - + None Required - + Unchanged Changed - + Not Defined Unproven Proof-of-Concept Functional High - + Not Defined Official Fix Temporary Fix Workaround Unavailable - + Not Defined Unknown Reasonable Confirmed - + Not Defined Low Medium High - + Not Defined Network Adjacent Local Physical - + Not Defined High Low - + Not Defined None Low High - + Not Defined None Required - + Not Defined Unchanged Changed @@ -1784,7 +1784,7 @@ Remediation Intent Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner. - + Recommended remediation. The actions intended to resolve the risk. This remediation activities were performed to address the risk. @@ -1890,7 +1890,7 @@ Part Name A textual label that uniquely identifies the part's semantic type. - + An assessment asset. An assessment method. diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml index 95c79e3224..e030b6552d 100644 --- a/src/metaschema/oscal_implementation-common_metaschema.xml +++ b/src/metaschema/oscal_implementation-common_metaschema.xml @@ -64,7 +64,7 @@ State The operational status. - + The component is being designed, developed, or implemented. The component is currently operational and is available for use in the system. The component is no longer operational. @@ -88,7 +88,7 @@ - + Relative placement of component ('internal' or 'external') to the system. UUID of the related leveraged-authorization assembly in this SSP. @@ -103,7 +103,7 @@ &allowed-values-component_component_property-name; - + @@ -113,7 +113,7 @@ The hyperlink identifies a URI pointing to the component in a component-definition that originally defined the component. - + @@ -121,42 +121,42 @@ &allowed-values-responsible-roles-component-production; - + &allowed-values-property-name-asset-type-values; - + The component allows an authenticated scan. The component does not allow an authenticated scan. - + The component is publicly accessible. The component is not publicly accessible. - + The component is virtualized. The component is not virtualized. - + The component is implemented within the system boundary. The component is implemented outside the system boundary. - + - - + + - + The name of the company or organization @@ -166,59 +166,59 @@ - + A link to an online information provided by the authorizing body. - + &allowed-values-component_component_software; - + &allowed-values-component_component_service; - + Title of the Interconnection Security Agreement (ISA). Date of the Interconnection Security Agreement (ISA). The name of the remote interconnected system. &allowed-values-property-name-networked-components; - + &allowed-values-property-name-networked-components; - + The identified IP address is for this system. The identified IP address is for the remote system to which this system is connected. - + A link to the system interconnection agreement. - + Interconnection Security Agreement (ISA) point of contact (POC) for this system. Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system. Interconnection Security Agreement (ISA) authorizing official for this system. Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system. - - - - - + + + + + Data from the remote system flows into this system. Data from this system flows to the remote system. - +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -238,7 +238,7 @@ Component Type A category describing the purpose of the component. - + The system as a whole. An external system, which may be a leveraged system or the other side of an interconnection. &allowed-values-component-type; @@ -273,7 +273,7 @@ - + It is a best practice to provide a UUID. @@ -299,7 +299,7 @@ Transport Indicates the transport type. - + Transmission Control Protocol User Datagram Protocol @@ -321,13 +321,13 @@ - + A port range should have a start port given. - + A port range should have an end port given. To define a single port, the start and end should be the same value. - + The port range start should not be after its end. @@ -350,7 +350,7 @@ Implementation State Identifies the implementation status of the control or control objective. - + The control is fully implemented. The control is partially implemented. There is a plan for implementing the control as explained in the remarks. @@ -404,21 +404,21 @@ - + The type of user, such as internal, external, or general-public. The user's privilege level within the system, such as privileged, non-privileged, no-logical-access. - + A user account for a person or entity that is part of the organization who owns or operates the system. A user account for a person or entity that is not part of the organization who owns or operates the system. A user of the system considered to be outside - + This role has elevated access to the system, such as a group or system administrator. This role has typical user-level access to the system without elevated access. This role has no access to the system, such as a manager who approves access as part of a process. - + &allowed-values-responsible-roles-operations; @@ -533,20 +533,20 @@ - + &allowed-values-component_component_property-name; &allowed-values-component_inventory-item_property-name; - + &allowed-values-responsible-roles-operations; - +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -557,7 +557,7 @@ - + The Internet Protocol v4 Address of the asset. The Internet Protocol v6 Address of the asset. The full-qualified domain name (FQDN) of the asset. @@ -589,37 +589,37 @@ &allowed-values-component_inventory-item_property-name; - + &allowed-values-property-name-asset-type-values; - + The name of the company or organization - + The asset is included in periodic vulnerability scanning. The asset is not included in periodic vulnerability scanning. - + A reference to the baseline template used to configure the asset. - + &allowed-values-responsible-roles-operations; &allowed-values-responsible-roles-component-production; - + - + - +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -700,7 +700,7 @@ Identification System Type Identifies the identification system from which the provided identifier was assigned. - + **deprecated** The identifier was assigned by FedRAMP. This has been deprecated; use http://fedramp.gov/ns/oscal instead. The identifier was assigned by FedRAMP. **deprecated** A Universally Unique Identifier (UUID) as defined by RFC4122. This value has been deprecated; use http://ietf.org/rfc/rfc4122 instead. diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index b0b9d9f9cd..be28d1206b 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -50,7 +50,7 @@ - + The link identifies the authoritative location for this resource. Defined by RFC 6596. The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829. @@ -203,20 +203,20 @@ - + Characterizes the kind of location. - + A location that contains computing assets. A class can be used to indicate the sub-type of data-center as primary or alternate. - + The location is a data-center used for normal operations. The location is a data-center used for fail-over or backup operations. - + In most cases, it is useful to define a location. In some cases, defining an explicit location may represent a security risk. - + A location must have at least a title, address, email-address, or telephone number. @@ -242,7 +242,7 @@ Party Type A category describing the kind of party the object describes. - + A human being regarded as an individual. An organized group of one or more person individuals with a specific purpose. @@ -269,7 +269,7 @@ External Identifier Schema Indicates the type of external identifier. - + The identifier is Open Researcher and Contributor ID (ORCID). @@ -314,7 +314,7 @@ - + @@ -326,7 +326,7 @@ - + A mail stop associated with the party. The name or number of the party's office. The formal job title of a person. @@ -345,32 +345,32 @@ - + - + - + - + - + - + - + - + - + - +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

 - + Indicates the person or organization that created this content. Indicates the person or organization that prepared this content. Indicates the person or organization for which this content was created. Indicates the person or organization responsible for all content represented in the "document". Indicates the person or organization to contact for questions or support related to this content. - + The value identifies a comma-seperated listing of keywords associated with this content. These keywords may be used as search terms for indexing and other applications. - + The link identifies the authoritative location for this resource. Defined by RFC 6596. The link identifies an alternative location or format for this resource. Defined by the HTML Living Standard This link identifies a resource containing the latest version in the version history. Defined by RFC 5829. This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829. This link identifies a resource containing the predecessor version in the version history. Defined by RFC 5829. - + @@ -438,7 +438,7 @@ - + @@ -453,7 +453,7 @@ - + @@ -468,7 +468,7 @@ - + @@ -568,13 +568,13 @@ - + Identifies the type of resource represented. The most specific appropriate type value SHOULD be used. For resources representing a published document, this represents the version number of that document. For resources representing a published document, this represents the publication date of that document. - - + + Indicates the resource is an organization's logo. Indicates the resource represents an image. @@ -603,19 +603,19 @@ Indicates the resource is a report. Indicates the resource is a formal agreement between two or more parties. - + A resource should provide at least an rlink or base64 object. - + Ensure that each rlink item references a unique resource. - + Ensure that all base64 resources have a unique filename. - + A title is required when a citation is provided. @@ -628,7 +628,7 @@ - + @@ -702,7 +702,7 @@ - + A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value. @@ -731,7 +731,7 @@ Link Relation Type Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose. - + A generalized reference to a network resource (relative or absolute) or to a back-matter resource by UUID expressed as a bare URI fragment. @@ -753,18 +753,18 @@ - + A local reference SHOULD NOT have a media-type.

Since both link and back-matter/resource both allow specification of a media-type, the media-type on link may conflict with the any media-type entries on a resource's rlink or base64 objects. This constraint prevents this from occurring.

 - - + + - - + +

This pattern is based on the fragment Augmented Backus-Naur form (ABNF) syntax provided in [RFC3986 section 3.5](https://www.rfc-editor.org/rfc/rfc3986#section-3.5). Uppercase alpha hex digits are required, which is the preferred normalized form defined in RFC3986.

 @@ -819,7 +819,7 @@ - + @@ -865,16 +865,16 @@ - + - + - + This value identifies action types defined in the NIST OSCAL namespace. - + An approval of a document instance's content. A request from the responisble party or parties to change the content. @@ -916,7 +916,7 @@ Hash algorithm The digest method by which a hash is derived. - + The SHA-224 algorithm as defined by NIST FIPS 180-4. The SHA-256 algorithm as defined by NIST FIPS 180-4. @@ -1025,7 +1025,7 @@ type flag Indicates the type of phone number. - + A home phone number. An office phone number. A mobile phone number. @@ -1033,7 +1033,7 @@ - +

Providing a country code provides an international means to interpret the phone number.

 @@ -1069,7 +1069,7 @@ Country Code The ISO 3166-1 alpha-2 country code for the mailing address. - + @@ -1084,7 +1084,7 @@ Address Type Indicates the type of address. - + A home address. A work address. @@ -1103,7 +1103,7 @@ provided the value of the element will be interpreted as a string of characters. - + A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record. diff --git a/src/metaschema/oscal_poam_metaschema.xml b/src/metaschema/oscal_poam_metaschema.xml index b7ce3b26da..92a8c2ea68 100644 --- a/src/metaschema/oscal_poam_metaschema.xml +++ b/src/metaschema/oscal_poam_metaschema.xml @@ -84,7 +84,7 @@ - +

Since multiple component entries can be provided, each component must have a unique uuid.

@@ -172,7 +172,7 @@ - + It is a best practice to provide a UUID. diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index faf7b99ce9..0caddb6a18 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -118,7 +118,7 @@ Declare how clashing controls should be handled. - + Use the first definition - the first control with a given ID is used; subsequent ones are discarded **(deprecated)** **(unspecified)** @@ -129,7 +129,7 @@ - + @@ -316,7 +316,7 @@ title or prop. - + A descendant parameter and all of its descendants. A descendant property and all of its descendants. A descendant link and all of its descendants. @@ -346,7 +346,7 @@ the targeted element (beside it or inside it). - + Preceding the by-id target Following the by-id target Inside the control or by-id target, at the start @@ -377,7 +377,7 @@ - + &allowed-values-control-group-property-name; @@ -395,7 +395,7 @@ - +

Since multiple set-parameter entries can be provided, each parameter must be set only once.

@@ -411,7 +411,7 @@ Order A designation of how a selection of controls in a profile is to be ordered. - + Use the order of their appearance, using a depth-first traversal of the source profile's imports. Sort all selected controls into ascending alphanumeric order by their ID. Sort all selected controls into descending alphanumeric order by their ID. @@ -459,7 +459,7 @@ Include Contained Controls with Control When a control is included, whether its child (dependent) controls are also included. - + Include child controls with an included control. When importing a control, only include child controls that are also explicitly called. diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml index bda65491d3..a56cd1204a 100644 --- a/src/metaschema/oscal_ssp_metaschema.xml +++ b/src/metaschema/oscal_ssp_metaschema.xml @@ -46,7 +46,7 @@ - + @@ -129,7 +129,7 @@ - + A value of 1, 2, or 3 as defined by SP 800-63-3. A value of 1, 2, or 3 as defined by SP 800-63-3. @@ -137,7 +137,7 @@ A value of 1, 2, or 3 as defined by SP 800-63-3. - + As defined by SP 800-63-3. As defined by SP 800-63-3. @@ -145,11 +145,11 @@ As defined by SP 800-63-3. - + The associated value is one of: public-cloud, private-cloud, community-cloud, government-only-cloud, hybrid-cloud, or other. The associated value is one of: saas, paas, iaas, or other. - + The public cloud deployment model as defined by The NIST Definition of Cloud Computing. The private cloud deployment model as defined by The NIST Definition of Cloud Computing. @@ -165,7 +165,7 @@

The hybrid cloud deployment model, as defined by The NIST Definition of Cloud Computing, can be supported by selecting two or more of the existing deployment models.

 - + Software as a service (SaaS) cloud service model as defined by The NIST Definition of Cloud Computing. Platform as a service (PaaS) cloud service model as defined by The NIST Definition of Cloud Computing. @@ -174,13 +174,13 @@ Any other type of cloud service model that is exclusive to the other choices. - +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

 - + &allowed-values-responsible-roles-system; @@ -222,7 +222,7 @@ Information Type Identification System Specifies the information type identification system used. - + Based on the section identifiers in NIST Special Publication 800-60 Volume II Revision 1. @@ -264,33 +264,33 @@ - + It is a best practice to provide a UUID. - + Is this a privacy sensitive system? yes or no - + The system is privacy sensitive. The system is not privacy sensitive. - + A link to the privacy impact assessment. - - + + - - + + A 'low' sensitivity level as defined in FIPS-199. A 'moderate' sensitivity level as defined in FIPS-199. @@ -359,7 +359,7 @@ State The current operating status. - + The system is currently operating in production. The system is being designed, developed, or implemented The system is undergoing a major change, development, or transition. @@ -403,7 +403,7 @@ - +

A given uuid must be assigned only once to a diagram.

@@ -441,14 +441,14 @@ - + A reference to the diagram image. - - + + - +

A diagram must include a link with a rel value of "diagram", who's href references a remote URI or an internal reference within this document containing the diagram.

@@ -484,7 +484,7 @@ - +

A given uuid must be assigned only once to a diagram.

@@ -514,7 +514,7 @@ - +

A given uuid must be assigned only once to a diagram.

@@ -566,14 +566,14 @@ - + A reference to the system security plan for the leveraged authorization. - - + + - + @@ -599,49 +599,49 @@ - + - + - + - + - + - + - + - + - + - + The component allows an authenticated scan. The component does not allow an authenticated scan. - +

A given uuid must be assigned only once to a user.

@@ -666,13 +666,13 @@ - +

Since multiple set-parameter entries can be provided, each parameter must be set only once.

 - + @@ -713,49 +713,49 @@ - + Identifies the source of the implemented control. Any control-origination prop defined in a child context will override the parent value. - + The control is implemented by the organization owning the system, but is not specific to the system itself. The control is implemented specifically to this system. The control is provided by the system, but must be configured by the customer. The control must be implemented by the customer. This control is inherited from an underlying system. - + &allowed-values-responsible-roles-operations; - + - + - +

Since all implementation statements are defined at the by-component level (e.g., type=this-system), there must be at least one by-component.

 - +

Since multiple set-parameter entries can be provided, each parameter must be set only once.

 - +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

 - +

Since statement entries can be referenced using the statement's statement-id, each statement must be referenced only once.

 - +

Since by-component can reference component entries using the component's uuid, each component must be referenced only once. This ensures that all implementation statements are contained in the same by-component entry.

@@ -795,16 +795,16 @@ - + &allowed-values-responsible-roles-operations; - +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

 - +

Since by-component can reference component entries using the component's uuid, each component must be referenced only once. This ensures that all implementation statements are contained in the same by-component entry.

@@ -889,7 +889,7 @@ - +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -928,7 +928,7 @@ - +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -939,8 +939,8 @@ - - + + @@ -973,7 +973,7 @@ - +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -1010,7 +1010,7 @@ - +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -1025,25 +1025,22 @@ - + The hyperlink identifies a URI pointing to the component in a component-definition that originally described the component this component was based on. + A reference to the UUID of a control or statement by-component object that is used as evidence of implementation. - + &allowed-values-responsible-roles-operations; &allowed-values-responsible-roles-component-production; - +

Since multiple set-parameter entries can be provided, each parameter must be set only once.

 - - - A reference to the UUID of a control or statement by-component object that is used as evidence of implementation. - - +