From 6b837836030171d616b3f32c8652d21c34d348a2 Mon Sep 17 00:00:00 2001 From: "Cole (Mike) Winberry" Date: Fri, 30 Aug 2024 08:54:40 -0700 Subject: [PATCH 1/5] chore: create hack script to generate the types for all doctored schemas in the types/quicktype/ folder following the same pattern as before --- hack/gen-types.sh | 20 + src/types/quicktype/oscal-1-0-4/types.go | 2290 ++++++++++ src/types/quicktype/oscal-1-0-5/types.go | 5258 ++++++++++++++++++++++ src/types/quicktype/oscal-1-0-6/types.go | 3729 +++++++++++++++ src/types/quicktype/oscal-1-1-0/types.go | 3754 +++++++++++++++ src/types/quicktype/oscal-1-1-1/types.go | 3754 +++++++++++++++ src/types/quicktype/oscal-1-1-2/types.go | 3754 +++++++++++++++ 7 files changed, 22559 insertions(+) create mode 100755 hack/gen-types.sh create mode 100644 src/types/quicktype/oscal-1-0-4/types.go create mode 100644 src/types/quicktype/oscal-1-0-5/types.go create mode 100644 src/types/quicktype/oscal-1-0-6/types.go create mode 100644 src/types/quicktype/oscal-1-1-0/types.go create mode 100644 src/types/quicktype/oscal-1-1-1/types.go create mode 100644 src/types/quicktype/oscal-1-1-2/types.go diff --git a/hack/gen-types.sh b/hack/gen-types.sh new file mode 100755 index 00000000..85571ee5 --- /dev/null +++ b/hack/gen-types.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# Set the source and destination directories +SCHEMA_DIR="src/internal/schemas" +OUTPUT_DIR="src/types/quicktype" + +# Loop through all JSON files in the schema directory +for schema_file in "$SCHEMA_DIR"/oscal_complete_schema-*.json; do + # Extract the version number from the filename + version=$(echo "$schema_file" | sed -n 's/.*oscal_complete_schema-\(.*\)\.json/\1/p' | tr '.' '-') + + # Create the output directory if it doesn't exist + mkdir -p "$OUTPUT_DIR/oscal-$version" + + # Generate the Go types using quicktype + cat "$schema_file" | npx quicktype -s schema -o "$OUTPUT_DIR/oscal-$version/types.go" --package "oscalTypes_${version//-/_}" --top-level OscalModels + echo "Generated types for OSCAL version $version" +done + +echo "Type generation complete" diff --git a/src/types/quicktype/oscal-1-0-4/types.go b/src/types/quicktype/oscal-1-0-4/types.go new file mode 100644 index 00000000..bf319650 --- /dev/null +++ b/src/types/quicktype/oscal-1-0-4/types.go @@ -0,0 +1,2290 @@ +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() + +package oscalTypes_1_0_4 + +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Catalog *Catalog `json:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. +type AssessmentAssets struct { + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A reference to a local or remote resource +type Link struct { + // A resolvable URL reference to a resource. + Href string `json:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty"` + // Describes the type of relationship provided by the link. This can be an indicator of the + // link's purpose. + Rel *string `json:"rel,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. The value of a property is a simple scalar value, +// which may be expressed as a list of values. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. This + // can be used to further distinguish or discriminate between the semantics of multiple + // properties of the same object with the same name and ns. + Class *string `json:"class,omitempty"` + // A textual label that uniquely identifies a specific attribute, characteristic, or quality + // of the property's containing object. + Name string `json:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined property elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A reference to a set of organizations or persons that have responsibility for performing +// a referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []Link `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human-oriented identifier reference to roles served by the user. + RoleID string `json:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status"` + // A human readable name for the system component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty"` +} + +// A reference to one or more roles with responsibility for performing a function relative +// to the containing object. +type ResponsibleRole struct { + Links []Link `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human-oriented identifier reference to roles responsible for the business function. + RoleID string `json:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type string `json:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources, which may be included directly or by reference. +type BackMatter struct { + Resources []Resource `json:"resources,omitempty"` +} + +// A resource associated with content in the containing document. A resource may be directly +// included in the document base64 encoded or may point to one or more equivalent internet +// resources. +type Resource struct { + // The Base64 alphabet in RFC 2045 - aligned with XSD. + Base64 *Base64 `json:"base64,omitempty"` + // A citation consisting of end note text and optional structured bibliographic data. + Citation *Citation `json:"citation,omitempty"` + // A short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty"` + // A name given to the resource, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined resource elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// The Base64 alphabet in RFC 2045 - aligned with XSD. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty"` + Value string `json:"value"` +} + +// A citation consisting of end note text and optional structured bibliographic data. +type Citation struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A line of citation text. + Text string `json:"text"` +} + +// A document identifier qualified by an identifier scheme. A document identifier provides a +// globally unique identifier with a cross-instance scope that is used for a group of +// documents that are to be treated as different versions of the same document. If this +// element does not appear, or if the value of this element is empty, the value of +// "document-id" is equal to the value of the "uuid" flag of the top-level root element. +type DocumentIdentifier struct { + Identifier string `json:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *string `json:"scheme,omitempty"` +} + +// A pointer to an external resource with an optional hash for verification and change +// detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty"` + // A resolvable URI reference to a resource. + Href string `json:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty"` +} + +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // Method by which a hash is derived + Algorithm string `json:"algorithm"` + Value string `json:"value"` +} + +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. +type Activity struct { + // A human-readable description of this included activity. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty"` + ExcludeControls []SelectControl `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []SelectControl `json:"include-controls,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type SelectControl struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty"` +} + +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// A single managed inventory item within the system. +type InventoryItem struct { + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Parts []Part `json:"parts"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A partition of a control's definition or a child of another part. +type Part struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined part elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + ID *string `json:"id,omitempty"` + Links []Link `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. +type SystemUser struct { + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title"` +} + +// Provides information about the publication and availability of the containing document. +type PublicationMetadata struct { + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified"` + Links []Link `json:"links,omitempty"` + Locations []Location `json:"locations,omitempty"` + OscalVersion string `json:"oscal-version"` + Parties []PartyOrganizationOrPerson `json:"parties,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title"` + Version string `json:"version"` +} + +// A location, with associated metadata that can be referenced. +type Location struct { + Address Address `json:"address"` + EmailAddresses []string `json:"email-addresses,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + Urls []string `json:"urls,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined location elsewhere in this or other OSCAL instances. The + // locally defined UUID of the location can be used to reference the data item locally or + // globally (e.g., from an importing OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty"` + // Postal or ZIP code for mailing address + PostalCode *string `json:"postal-code,omitempty"` + // State, province or analogous geographical region for mailing address + State *string `json:"state,omitempty"` + // Indicates the type of address. + Type *string `json:"type,omitempty"` +} + +// Contact number by telephone. +type TelephoneNumber struct { + Number string `json:"number"` + // Indicates the type of phone number. + Type *string `json:"type,omitempty"` +} + +// A responsible entity which is either a person or an organization. +type PartyOrganizationOrPerson struct { + Addresses []Address `json:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` + Links []Link `json:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined party elsewhere in this or other OSCAL instances. The locally + // defined UUID of the party can be used to reference the data item locally or globally + // (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID) +type PartyExternalIdentifier struct { + ID string `json:"id"` + // Indicates the type of external identifier. + Scheme string `json:"scheme"` +} + +// An entry in a sequential list of revisions to the containing document in reverse +// chronological order (i.e., most recent previous revision first). +type RevisionHistoryEntry struct { + LastModified *time.Time `json:"last-modified,omitempty"` + Links []Link `json:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` + Version string `json:"version"` +} + +// Defines a function assumed or expected to be assumed by a party in a specific situation. +type Role struct { + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined role elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL + // instance must be referenced in the context of the containing resource (e.g., import, + // import-component-definition, import-profile, import-ssp or import-ap). This ID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ID string `json:"id"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty"` + // The title for this task. + Title string `json:"title"` + // The type of task. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. +type AssociatedActivity struct { + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// Used to indicate that a task is dependent on another task. +type TaskDependency struct { + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// The timing under which the task is intended to occur. +type EventTiming struct { + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` +} + +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit"` +} + +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date"` +} + +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start"` +} + +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty"` +} + +// A partition of an assessment plan or results or a child of another part. +type AssessmentPart struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty"` + Links []Link `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Results []AssessmentResult `json:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty"` + Findings []Finding `json:"findings,omitempty"` + Links []Link `json:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start"` + // The title for this set of results. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries"` +} + +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []Link `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start"` + // The title for this event. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// A set of textual statements, typically written by the assessor. +type AttestationStatements struct { + Parts []AssessmentPart `json:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// Describes an individual finding. +type Finding struct { + // A human-readable description of this finding. + Description string `json:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` + Links []Link `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Target TargetClass `json:"target"` + // The title for this finding. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State string `json:"state"` +} + +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *string `json:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty"` + Links []Link `json:"links,omitempty"` + Methods []string `json:"methods"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty"` + Types []string `json:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement"` + Status string `json:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets"` + Links []Link `json:"links,omitempty"` + Origin FindingOrigin `json:"origin"` + Props []Property `json:"props,omitempty"` +} + +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []Link `json:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System string `json:"system"` + // Indicates the value of the facet. + Value string `json:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle string `json:"lifecycle"` + Links []Link `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries"` +} + +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []Link `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start"` + StatusChange *string `json:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid"` +} + +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty"` + ID string `json:"id"` + // Specifies the source of the threat information. + System string `json:"system"` +} + +// A collection of controls. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Params []Parameter `json:"params,omitempty"` + // A globally unique identifier with cross-instance scope for this catalog instance. This + // UUID should be changed when this document is revised. + UUID string `json:"uuid"` +} + +// A structured information object representing a security or privacy control. Each security +// or privacy control within the Catalog is defined by a distinct control instance. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + // A human-oriented, locally unique identifier with instance scope that can be used to + // reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This + // id should be assigned per-subject, which means it should be consistently used to identify + // the same control across revisions of the document. + ID string `json:"id"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ID string `json:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint + Expression string `json:"expression"` + Remarks *string `json:"remarks,omitempty"` +} + +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose"` +} + +// Presenting a choice among alternatives +type Selection struct { + Choice []string `json:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty"` +} + +// A group of controls, or of groups of controls. +type ControlGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in in this and other OSCAL instances (e.g., + // profiles). This id should be assigned per-subject, which means it should be consistently + // used to identify the same group across revisions of the document. + ID *string `json:"id,omitempty"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component definition elsewhere in this or other OSCAL instances. The + // locally defined UUID of the component definition can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` + Links []Link `json:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this capability elsewhere in this or other OSCAL instances. The locally + // defined UUID of the capability can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a set of implemented controls elsewhere in this or other OSCAL instances. + // The locally defined UUID of the control implementation set can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A suggestion for how the specified control may be implemented if the containing component + // or capability is instantiated in a system security plan. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a specific control implementation elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance).This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id"` + Remarks *string `json:"remarks,omitempty"` + Values []string `json:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// TBD +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Observations []Observation `json:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. +type PoamItemOrigin struct { + Actors []OriginatingActor `json:"actors"` +} + +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *string `json:"identifier-type,omitempty"` +} + +// Each OSCAL profile is defined by a Profile element +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Imports []ImportResource `json:"imports"` + Merge *MergeControls `json:"merge,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Modify *ModifyControls `json:"modify,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this profile elsewhere in this or other OSCAL instances. The locally defined + // UUID of the profile can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance).This identifier should be assigned per-subject, which means + // it should be consistently used to identify the same profile across revisions of the + // document. + UUID string `json:"uuid"` +} + +// The import designates a catalog or profile to be included (referenced and potentially +// modified) by this profile. The import also identifies which controls to select using the +// include-all, include-controls, and exclude-controls directives. +type ImportResource struct { + ExcludeControls []Call `json:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty"` +} + +// Call a control by its ID +type Call struct { + Matching []MatchControlsByPattern `json:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty"` +} + +// Select controls by (regular expression) match on ID +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty"` +} + +// A Merge element provides structuring directives that drive how controls are organized +// after resolution. +type MergeControls struct { + // An As-is element indicates that the controls should be structured in resolution as they + // are structured in their source catalogs. It does not contain any elements or attributes. + AsIs *bool `json:"as-is,omitempty"` + // A Combine element defines how to combine multiple (competing) versions of the same + // control. + Combine *CombinationRule `json:"combine,omitempty"` + // A Custom element frames a structure for embedding represented controls in resolution. + Custom *CustomGrouping `json:"custom,omitempty"` + // Use the flat structuring method. + Flat *Flat `json:"flat,omitempty"` +} + +// A Combine element defines how to combine multiple (competing) versions of the same +// control. +type CombinationRule struct { + // How clashing controls should be handled + Method *CombinationMethod `json:"method,omitempty"` +} + +// A Custom element frames a structure for embedding represented controls in resolution. +type CustomGrouping struct { + Groups []CustomGroup `json:"groups,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same group across revisions of the + // document. + ID *string `json:"id,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Specifies which controls to use in the containing context. +type SelectControls struct { + ExcludeControls []Call `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty"` +} + +// Use the flat structuring method. +type Flat struct { +} + +// Set parameters or amend controls in resolution +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty"` +} + +// An Alter element specifies changes to be made to an included control when a profile is +// resolved. +type Alteration struct { + Adds []Addition `json:"adds,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Removes []Removal `json:"removes,omitempty"` +} + +// Specifies contents to be added into controls, in resolution +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside it) + Position *Position `json:"position,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty"` + // Identify items to remove by the name of the item's information element name, e.g. title + // or prop + ByItemName *string `json:"by-item-name,omitempty"` + // Identify items to remove by matching their assigned name + ByName *string `json:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion +type ParameterSetting struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []Link `json:"links,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ParamID string `json:"param-id"` + Props []Property `json:"props,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18 +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile"` + Metadata PublicationMetadata `json:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` +} + +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel string `json:"security-sensitivity-level"` + Status SystemCharacteristicsStatus `json:"status"` + SystemIDS []SystemIdentification `json:"system-ids"` + SystemInformation SystemInformation `json:"system-information"` + // The full name of the system. + SystemName string `json:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. +type AuthorizationBoundary struct { + // A summary of the system's authorization boundary. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. +type DataFlow struct { + // A summary of the system's data flow. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. +type NetworkArchitecture struct { + // A summary of the system's network architecture. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. +type SecurityImpactLevel struct { + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. +type SystemInformation struct { + InformationTypes []InformationType `json:"information-types"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` +} + +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + // The expected level of impact resulting from the disruption of access to or use of the + // described information or the information system. + AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` + // The expected level of impact resulting from the unauthorized disclosure of the described + // information. + ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact"` + // A summary of how this information type is used within the system. + Description string `json:"description"` + // The expected level of impact resulting from the unauthorized modification of the + // described information. + IntegrityImpact IntegrityImpactLevel `json:"integrity-impact"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// The expected level of impact resulting from the disruption of access to or use of the +// described information or the information system. +type AvailabilityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System string `json:"system"` +} + +// The expected level of impact resulting from the unauthorized disclosure of the described +// information. +type ConfidentialityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// The expected level of impact resulting from the unauthorized modification of the +// described information. +type IntegrityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized"` + Links []Link `json:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Indicates the transport type. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) + +// The operational status. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) + +// A category describing the kind of party the object describes. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) + +// The unit of time for the period. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) + +// The kind of actor. +type ActorType string + +const ( + AssessmentPlatform ActorType = "assessment-platform" + Party ActorType = "party" + Tool ActorType = "tool" +) + +// An indication as to whether the objective is satisfied or not. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) + +// Identifies the type of the target. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) + +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) + +// When a control is included, whether its child (dependent) controls are also included. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) + +// How clashing controls should be handled +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) + +// A designation of how a selection of controls in a profile is to be ordered. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) + +// Where to add the new content with respect to the targeted element (beside it or inside it) +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) + +// The current operating status. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) diff --git a/src/types/quicktype/oscal-1-0-5/types.go b/src/types/quicktype/oscal-1-0-5/types.go new file mode 100644 index 00000000..90bea639 --- /dev/null +++ b/src/types/quicktype/oscal-1-0-5/types.go @@ -0,0 +1,5258 @@ +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() + +package oscalTypes_1_0_5 + +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Catalog *Catalog `json:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. +type AssessmentAssets struct { + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A reference to a local or remote resource +type Link struct { + // A resolvable URL reference to a resource. + Href string `json:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty"` + // Describes the type of relationship provided by the link. This can be an indicator of the + // link's purpose. + Rel *Relation `json:"rel,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. The value of a property is a simple scalar value, +// which may be expressed as a list of values. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. This + // can be used to further distinguish or discriminate between the semantics of multiple + // properties of the same object with the same name and ns. + Class *string `json:"class,omitempty"` + // A textual label that uniquely identifies a specific attribute, characteristic, or quality + // of the property's containing object. + Name PropertyName `json:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined property elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A reference to a set of organizations or persons that have responsibility for performing +// a referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []Link `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human-oriented identifier reference to roles served by the user. + RoleID string `json:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status"` + // A human readable name for the system component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type PurpleComponentType `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty"` +} + +// A reference to one or more roles with responsibility for performing a function relative +// to the containing object. +type ResponsibleRole struct { + Links []Link `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human-oriented identifier reference to roles responsible for the business function. + RoleID string `json:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type SubjectType `json:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type SubjectUniversallyUniqueIdentifierReferenceType `json:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources, which may be included directly or by reference. +type BackMatter struct { + Resources []ResourceElement `json:"resources,omitempty"` +} + +// A resource associated with content in the containing document. A resource may be directly +// included in the document base64 encoded or may point to one or more equivalent internet +// resources. +type ResourceElement struct { + // The Base64 alphabet in RFC 2045 - aligned with XSD. + Base64 *Base64 `json:"base64,omitempty"` + // A citation consisting of end note text and optional structured bibliographic data. + Citation *Citation `json:"citation,omitempty"` + // A short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty"` + // A name given to the resource, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined resource elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// The Base64 alphabet in RFC 2045 - aligned with XSD. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty"` + Value string `json:"value"` +} + +// A citation consisting of end note text and optional structured bibliographic data. +type Citation struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A line of citation text. + Text string `json:"text"` +} + +// A document identifier qualified by an identifier scheme. A document identifier provides a +// globally unique identifier with a cross-instance scope that is used for a group of +// documents that are to be treated as different versions of the same document. If this +// element does not appear, or if the value of this element is empty, the value of +// "document-id" is equal to the value of the "uuid" flag of the top-level root element. +type DocumentIdentifier struct { + Identifier string `json:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *DocumentIdentificationScheme `json:"scheme,omitempty"` +} + +// A pointer to an external resource with an optional hash for verification and change +// detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty"` + // A resolvable URI reference to a resource. + Href string `json:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty"` +} + +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // Method by which a hash is derived + Algorithm HashAlgorithm `json:"algorithm"` + Value string `json:"value"` +} + +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. +type Activity struct { + // A human-readable description of this included activity. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty"` + ExcludeControls []SelectControl `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []SelectControl `json:"include-controls,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type SelectControl struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty"` +} + +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// A single managed inventory item within the system. +type InventoryItem struct { + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Parts []Part `json:"parts"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A partition of a control's definition or a child of another part. +type Part struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined part elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + ID *string `json:"id,omitempty"` + Links []Link `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. +type SystemUser struct { + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title"` +} + +// Provides information about the publication and availability of the containing document. +type PublicationMetadata struct { + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified"` + Links []Link `json:"links,omitempty"` + Locations []Location `json:"locations,omitempty"` + OscalVersion string `json:"oscal-version"` + Parties []PartyOrganizationOrPerson `json:"parties,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title"` + Version string `json:"version"` +} + +// A location, with associated metadata that can be referenced. +type Location struct { + Address Address `json:"address"` + EmailAddresses []string `json:"email-addresses,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + Urls []string `json:"urls,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined location elsewhere in this or other OSCAL instances. The + // locally defined UUID of the location can be used to reference the data item locally or + // globally (e.g., from an importing OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty"` + // Postal or ZIP code for mailing address + PostalCode *string `json:"postal-code,omitempty"` + // State, province or analogous geographical region for mailing address + State *string `json:"state,omitempty"` + // Indicates the type of address. + Type *AddressType `json:"type,omitempty"` +} + +// Contact number by telephone. +type TelephoneNumber struct { + Number string `json:"number"` + // Indicates the type of phone number. + Type *TypeFlag `json:"type,omitempty"` +} + +// A responsible entity which is either a person or an organization. +type PartyOrganizationOrPerson struct { + Addresses []Address `json:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` + Links []Link `json:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined party elsewhere in this or other OSCAL instances. The locally + // defined UUID of the party can be used to reference the data item locally or globally + // (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID) +type PartyExternalIdentifier struct { + ID string `json:"id"` + // Indicates the type of external identifier. + Scheme ExternalIdentifierSchema `json:"scheme"` +} + +// An entry in a sequential list of revisions to the containing document in reverse +// chronological order (i.e., most recent previous revision first). +type RevisionHistoryEntry struct { + LastModified *time.Time `json:"last-modified,omitempty"` + Links []Link `json:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` + Version string `json:"version"` +} + +// Defines a function assumed or expected to be assumed by a party in a specific situation. +type Role struct { + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined role elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL + // instance must be referenced in the context of the containing resource (e.g., import, + // import-component-definition, import-profile, import-ssp or import-ap). This ID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ID string `json:"id"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty"` + // The title for this task. + Title string `json:"title"` + // The type of task. + Type TaskType `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. +type AssociatedActivity struct { + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// Used to indicate that a task is dependent on another task. +type TaskDependency struct { + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// The timing under which the task is intended to occur. +type EventTiming struct { + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` +} + +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit"` +} + +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date"` +} + +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start"` +} + +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty"` +} + +// A partition of an assessment plan or results or a child of another part. +type AssessmentPart struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty"` + Links []Link `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name PartName `json:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Results []AssessmentResult `json:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty"` + Findings []FindingElement `json:"findings,omitempty"` + Links []Link `json:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start"` + // The title for this set of results. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries"` +} + +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []Link `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start"` + // The title for this event. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// A set of textual statements, typically written by the assessor. +type AttestationStatements struct { + Parts []AssessmentPart `json:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// Describes an individual finding. +type FindingElement struct { + // A human-readable description of this finding. + Description string `json:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` + Links []Link `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Target TargetClass `json:"target"` + // The title for this finding. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State ImplementationState `json:"state"` +} + +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *ObjectiveStatusReason `json:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty"` + Links []Link `json:"links,omitempty"` + Methods []ObservationMethod `json:"methods"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty"` + Types []ObservationType `json:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type SubjectUniversallyUniqueIdentifierReferenceType `json:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement"` + Status RiskStatus `json:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets"` + Links []Link `json:"links,omitempty"` + Origin FindingOrigin `json:"origin"` + Props []Property `json:"props,omitempty"` +} + +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []Link `json:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System NamingSystem `json:"system"` + // Indicates the value of the facet. + Value string `json:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle RemediationIntent `json:"lifecycle"` + Links []Link `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries"` +} + +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []Link `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start"` + StatusChange *RiskStatus `json:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid"` +} + +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty"` + ID string `json:"id"` + // Specifies the source of the threat information. + System ThreatTypeIdentificationSystem `json:"system"` +} + +// A collection of controls. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Params []Parameter `json:"params,omitempty"` + // A globally unique identifier with cross-instance scope for this catalog instance. This + // UUID should be changed when this document is revised. + UUID string `json:"uuid"` +} + +// A structured information object representing a security or privacy control. Each security +// or privacy control within the Catalog is defined by a distinct control instance. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + // A human-oriented, locally unique identifier with instance scope that can be used to + // reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This + // id should be assigned per-subject, which means it should be consistently used to identify + // the same control across revisions of the document. + ID string `json:"id"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ID string `json:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint + Expression string `json:"expression"` + Remarks *string `json:"remarks,omitempty"` +} + +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose"` +} + +// Presenting a choice among alternatives +type Selection struct { + Choice []string `json:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty"` +} + +// A group of controls, or of groups of controls. +type ControlGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in in this and other OSCAL instances (e.g., + // profiles). This id should be assigned per-subject, which means it should be consistently + // used to identify the same group across revisions of the document. + ID *string `json:"id,omitempty"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component definition elsewhere in this or other OSCAL instances. The + // locally defined UUID of the component definition can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` + Links []Link `json:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this capability elsewhere in this or other OSCAL instances. The locally + // defined UUID of the capability can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a set of implemented controls elsewhere in this or other OSCAL instances. + // The locally defined UUID of the control implementation set can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A suggestion for how the specified control may be implemented if the containing component + // or capability is instantiated in a system security plan. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a specific control implementation elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance).This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id"` + Remarks *string `json:"remarks,omitempty"` + Values []string `json:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// TBD +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type FluffyComponentType `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Observations []Observation `json:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. +type PoamItemOrigin struct { + Actors []OriginatingActor `json:"actors"` +} + +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *IdentificationSystemType `json:"identifier-type,omitempty"` +} + +// Each OSCAL profile is defined by a Profile element +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Imports []ImportResource `json:"imports"` + Merge *MergeControls `json:"merge,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Modify *ModifyControls `json:"modify,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this profile elsewhere in this or other OSCAL instances. The locally defined + // UUID of the profile can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance).This identifier should be assigned per-subject, which means + // it should be consistently used to identify the same profile across revisions of the + // document. + UUID string `json:"uuid"` +} + +// The import designates a catalog or profile to be included (referenced and potentially +// modified) by this profile. The import also identifies which controls to select using the +// include-all, include-controls, and exclude-controls directives. +type ImportResource struct { + ExcludeControls []Call `json:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty"` +} + +// Call a control by its ID +type Call struct { + Matching []MatchControlsByPattern `json:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty"` +} + +// Select controls by (regular expression) match on ID +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty"` +} + +// A Merge element provides structuring directives that drive how controls are organized +// after resolution. +type MergeControls struct { + // An As-is element indicates that the controls should be structured in resolution as they + // are structured in their source catalogs. It does not contain any elements or attributes. + AsIs *bool `json:"as-is,omitempty"` + // A Combine element defines how to combine multiple (competing) versions of the same + // control. + Combine *CombinationRule `json:"combine,omitempty"` + // A Custom element frames a structure for embedding represented controls in resolution. + Custom *CustomGrouping `json:"custom,omitempty"` + // Use the flat structuring method. + Flat *Flat `json:"flat,omitempty"` +} + +// A Combine element defines how to combine multiple (competing) versions of the same +// control. +type CombinationRule struct { + // How clashing controls should be handled + Method *CombinationMethod `json:"method,omitempty"` +} + +// A Custom element frames a structure for embedding represented controls in resolution. +type CustomGrouping struct { + Groups []CustomGroup `json:"groups,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same group across revisions of the + // document. + ID *string `json:"id,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Specifies which controls to use in the containing context. +type SelectControls struct { + ExcludeControls []Call `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty"` +} + +// Use the flat structuring method. +type Flat struct { +} + +// Set parameters or amend controls in resolution +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty"` +} + +// An Alter element specifies changes to be made to an included control when a profile is +// resolved. +type Alteration struct { + Adds []Addition `json:"adds,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Removes []Removal `json:"removes,omitempty"` +} + +// Specifies contents to be added into controls, in resolution +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside it) + Position *Position `json:"position,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty"` + // Identify items to remove by the name of the item's information element name, e.g. title + // or prop + ByItemName *string `json:"by-item-name,omitempty"` + // Identify items to remove by matching their assigned name + ByName *string `json:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion +type ParameterSetting struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []Link `json:"links,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ParamID string `json:"param-id"` + Props []Property `json:"props,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18 +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile"` + Metadata PublicationMetadata `json:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` +} + +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel string `json:"security-sensitivity-level"` + Status SystemCharacteristicsStatus `json:"status"` + SystemIDS []SystemIdentification `json:"system-ids"` + SystemInformation SystemInformation `json:"system-information"` + // The full name of the system. + SystemName string `json:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. +type AuthorizationBoundary struct { + // A summary of the system's authorization boundary. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. +type DataFlow struct { + // A summary of the system's data flow. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. +type NetworkArchitecture struct { + // A summary of the system's network architecture. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. +type SecurityImpactLevel struct { + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. +type SystemInformation struct { + InformationTypes []InformationType `json:"information-types"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` +} + +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + // The expected level of impact resulting from the disruption of access to or use of the + // described information or the information system. + AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` + // The expected level of impact resulting from the unauthorized disclosure of the described + // information. + ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact"` + // A summary of how this information type is used within the system. + Description string `json:"description"` + // The expected level of impact resulting from the unauthorized modification of the + // described information. + IntegrityImpact IntegrityImpactLevel `json:"integrity-impact"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// The expected level of impact resulting from the disruption of access to or use of the +// described information or the information system. +type AvailabilityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System InformationTypeIdentificationSystem `json:"system"` +} + +// The expected level of impact resulting from the unauthorized disclosure of the described +// information. +type ConfidentialityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// The expected level of impact resulting from the unauthorized modification of the +// described information. +type IntegrityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized"` + Links []Link `json:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type Relation string + +const ( + Reference Relation = "reference" +) + +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type PropertyName string + +const ( + Marking PropertyName = "marking" +) + +// Indicates the transport type. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) + +// The operational status. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) + +// A category describing the purpose of the component. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type PurpleComponentType string + +const ( + Network PurpleComponentType = "network" + PurpleGuidance PurpleComponentType = "guidance" + PurpleHardware PurpleComponentType = "hardware" + PurpleInterconnection PurpleComponentType = "interconnection" + PurplePhysical PurpleComponentType = "physical" + PurplePlan PurpleComponentType = "plan" + PurplePolicy PurpleComponentType = "policy" + PurpleProcessProcedure PurpleComponentType = "process-procedure" + PurpleService PurpleComponentType = "service" + PurpleSoftware PurpleComponentType = "software" + PurpleStandard PurpleComponentType = "standard" + PurpleValidation PurpleComponentType = "validation" + System PurpleComponentType = "system" + ThisSystem PurpleComponentType = "this-system" +) + +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type SubjectUniversallyUniqueIdentifierReferenceType string + +const ( + Resource SubjectUniversallyUniqueIdentifierReferenceType = "resource" + SubjectUniversallyUniqueIdentifierReferenceTypeComponent SubjectUniversallyUniqueIdentifierReferenceType = "component" + SubjectUniversallyUniqueIdentifierReferenceTypeInventoryItem SubjectUniversallyUniqueIdentifierReferenceType = "inventory-item" + SubjectUniversallyUniqueIdentifierReferenceTypeLocation SubjectUniversallyUniqueIdentifierReferenceType = "location" + SubjectUniversallyUniqueIdentifierReferenceTypeParty SubjectUniversallyUniqueIdentifierReferenceType = "party" + SubjectUniversallyUniqueIdentifierReferenceTypeUser SubjectUniversallyUniqueIdentifierReferenceType = "user" +) + +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type SubjectType string + +const ( + SubjectTypeComponent SubjectType = "component" + SubjectTypeInventoryItem SubjectType = "inventory-item" + SubjectTypeLocation SubjectType = "location" + SubjectTypeParty SubjectType = "party" + SubjectTypeUser SubjectType = "user" +) + +// Qualifies the kind of document identifier using a URI. If the scheme is not provided the +// value of the element will be interpreted as a string of characters. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type DocumentIdentificationScheme string + +const ( + HTTPWWWDoiOrg DocumentIdentificationScheme = "http://www.doi.org/" +) + +// Method by which a hash is derived +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type HashAlgorithm string + +const ( + SHA224 HashAlgorithm = "SHA-224" + SHA256 HashAlgorithm = "SHA-256" + SHA384 HashAlgorithm = "SHA-384" + SHA512 HashAlgorithm = "SHA-512" + Sha3224 HashAlgorithm = "SHA3-224" + Sha3256 HashAlgorithm = "SHA3-256" + Sha3384 HashAlgorithm = "SHA3-384" + Sha3512 HashAlgorithm = "SHA3-512" +) + +// Indicates the type of address. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type AddressType string + +const ( + AddressTypeHome AddressType = "home" + Work AddressType = "work" +) + +// Indicates the type of phone number. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type TypeFlag string + +const ( + Mobile TypeFlag = "mobile" + Office TypeFlag = "office" + TypeFlagHome TypeFlag = "home" +) + +// Indicates the type of external identifier. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type ExternalIdentifierSchema string + +const ( + HTTPOrcidOrg ExternalIdentifierSchema = "http://orcid.org/" +) + +// A category describing the kind of party the object describes. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) + +// The unit of time for the period. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) + +// The type of task. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type TaskType string + +const ( + Action TaskType = "action" + Milestone TaskType = "milestone" +) + +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type PartName string + +const ( + Asset PartName = "asset" + Method PartName = "method" + Objective PartName = "objective" +) + +// The kind of actor. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ActorType string + +const ( + ActorTypeParty ActorType = "party" + AssessmentPlatform ActorType = "assessment-platform" + Tool ActorType = "tool" +) + +// Identifies the implementation status of the control or control objective. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ImplementationState string + +const ( + Alternative ImplementationState = "alternative" + ImplementationStatePlanned ImplementationState = "planned" + Implemented ImplementationState = "implemented" + NotApplicable ImplementationState = "not-applicable" + Partial ImplementationState = "partial" +) + +// The reason the objective was given it's status. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ObjectiveStatusReason string + +const ( + Fail ObjectiveStatusReason = "fail" + ObjectiveStatusReasonOther ObjectiveStatusReason = "other" + Pass ObjectiveStatusReason = "pass" +) + +// An indication as to whether the objective is satisfied or not. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) + +// Identifies the type of the target. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) + +// Identifies how the observation was made. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type ObservationMethod string + +const ( + Examine ObservationMethod = "EXAMINE" + Interview ObservationMethod = "INTERVIEW" + Test ObservationMethod = "TEST" + Unknown ObservationMethod = "UNKNOWN" +) + +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ObservationType string + +const ( + ControlObjective ObservationType = "control-objective" + Finding ObservationType = "finding" + Historic ObservationType = "historic" + Mitigation ObservationType = "mitigation" + SSPStatementIssue ObservationType = "ssp-statement-issue" +) + +// Specifies the naming system under which this risk metric is organized, which allows for +// the same names to be used in different systems controlled by different parties. This +// avoids the potential of a name clash. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type NamingSystem string + +const ( + HTTPCsrcNISTGovNSOscal NamingSystem = "http://csrc.nist.gov/ns/oscal" + HTTPCsrcNISTGovNSOscalUnknown NamingSystem = "http://csrc.nist.gov/ns/oscal/unknown" + HTTPCveMitreOrg NamingSystem = "http://cve.mitre.org" + HTTPWWWFirstOrgCvssV20 NamingSystem = "http://www.first.org/cvss/v2.0" + HTTPWWWFirstOrgCvssV30 NamingSystem = "http://www.first.org/cvss/v3.0" + HTTPWWWFirstOrgCvssV31 NamingSystem = "http://www.first.org/cvss/v3.1" + NamingSystemHTTPFedrampGov NamingSystem = "http://fedramp.gov" + NamingSystemHTTPFedrampGovNSOscal NamingSystem = "http://fedramp.gov/ns/oscal" +) + +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type RemediationIntent string + +const ( + Completed RemediationIntent = "completed" + Recommendation RemediationIntent = "recommendation" + RemediationIntentPlanned RemediationIntent = "planned" +) + +// Describes the status of the associated risk. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type RiskStatus string + +const ( + Closed RiskStatus = "closed" + DeviationApproved RiskStatus = "deviation-approved" + DeviationRequested RiskStatus = "deviation-requested" + Investigating RiskStatus = "investigating" + Open RiskStatus = "open" + Remediating RiskStatus = "remediating" +) + +// Specifies the source of the threat information. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type ThreatTypeIdentificationSystem string + +const ( + ThreatTypeIdentificationSystemHTTPFedrampGov ThreatTypeIdentificationSystem = "http://fedramp.gov" + ThreatTypeIdentificationSystemHTTPFedrampGovNSOscal ThreatTypeIdentificationSystem = "http://fedramp.gov/ns/oscal" +) + +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) + +// A category describing the purpose of the component. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type FluffyComponentType string + +const ( + FluffyGuidance FluffyComponentType = "guidance" + FluffyHardware FluffyComponentType = "hardware" + FluffyInterconnection FluffyComponentType = "interconnection" + FluffyPhysical FluffyComponentType = "physical" + FluffyPlan FluffyComponentType = "plan" + FluffyPolicy FluffyComponentType = "policy" + FluffyProcessProcedure FluffyComponentType = "process-procedure" + FluffyService FluffyComponentType = "service" + FluffySoftware FluffyComponentType = "software" + FluffyStandard FluffyComponentType = "standard" + FluffyValidation FluffyComponentType = "validation" +) + +// Identifies the identification system from which the provided identifier was assigned. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type IdentificationSystemType string + +const ( + HTTPIETFOrgRFCRfc4122 IdentificationSystemType = "http://ietf.org/rfc/rfc4122" + HTTPSFedrampGov IdentificationSystemType = "https://fedramp.gov" + HTTPSIETFOrgRFCRfc4122 IdentificationSystemType = "https://ietf.org/rfc/rfc4122" + IdentificationSystemTypeHTTPFedrampGovNSOscal IdentificationSystemType = "http://fedramp.gov/ns/oscal" +) + +// When a control is included, whether its child (dependent) controls are also included. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) + +// How clashing controls should be handled +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) + +// A designation of how a selection of controls in a profile is to be ordered. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) + +// Where to add the new content with respect to the targeted element (beside it or inside +// it) +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) + +// The current operating status. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) + +// Specifies the information type identification system used. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type InformationTypeIdentificationSystem string + +const ( + HTTPDoiOrg106028NISTSP80060V2R1 InformationTypeIdentificationSystem = "http://doi.org/10.6028/NIST.SP.800-60v2r1" +) diff --git a/src/types/quicktype/oscal-1-0-6/types.go b/src/types/quicktype/oscal-1-0-6/types.go new file mode 100644 index 00000000..56f76756 --- /dev/null +++ b/src/types/quicktype/oscal-1-0-6/types.go @@ -0,0 +1,3729 @@ +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() + +package oscalTypes_1_0_6 + +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Schema *string `json:"$schema,omitempty"` + Catalog *Catalog `json:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. +type AssessmentAssets struct { + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A reference to a local or remote resource +type Link struct { + // A resolvable URL reference to a resource. + Href string `json:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty"` + // Describes the type of relationship provided by the link. This can be an indicator of the + // link's purpose. + Rel *string `json:"rel,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. The value of a property is a simple scalar value, +// which may be expressed as a list of values. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. This + // can be used to further distinguish or discriminate between the semantics of multiple + // properties of the same object with the same name and ns. + Class *string `json:"class,omitempty"` + // A textual label that uniquely identifies a specific attribute, characteristic, or quality + // of the property's containing object. + Name string `json:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined property elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A reference to a set of organizations or persons that have responsibility for performing +// a referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []Link `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human-oriented identifier reference to roles served by the user. + RoleID string `json:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status"` + // A human readable name for the system component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty"` +} + +// A reference to one or more roles with responsibility for performing a function relative +// to the containing object. +type ResponsibleRole struct { + Links []Link `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human-oriented identifier reference to roles responsible for the business function. + RoleID string `json:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type string `json:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources, which may be included directly or by reference. +type BackMatter struct { + Resources []Resource `json:"resources,omitempty"` +} + +// A resource associated with content in the containing document. A resource may be directly +// included in the document base64 encoded or may point to one or more equivalent internet +// resources. +type Resource struct { + // The Base64 alphabet in RFC 2045 - aligned with XSD. + Base64 *Base64 `json:"base64,omitempty"` + // A citation consisting of end note text and optional structured bibliographic data. + Citation *Citation `json:"citation,omitempty"` + // A short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty"` + // A name given to the resource, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined resource elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// The Base64 alphabet in RFC 2045 - aligned with XSD. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty"` + Value string `json:"value"` +} + +// A citation consisting of end note text and optional structured bibliographic data. +type Citation struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A line of citation text. + Text string `json:"text"` +} + +// A document identifier qualified by an identifier scheme. A document identifier provides a +// globally unique identifier with a cross-instance scope that is used for a group of +// documents that are to be treated as different versions of the same document. If this +// element does not appear, or if the value of this element is empty, the value of +// "document-id" is equal to the value of the "uuid" flag of the top-level root element. +type DocumentIdentifier struct { + Identifier string `json:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *string `json:"scheme,omitempty"` +} + +// A pointer to an external resource with an optional hash for verification and change +// detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty"` + // A resolvable URI reference to a resource. + Href string `json:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty"` +} + +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // Method by which a hash is derived + Algorithm string `json:"algorithm"` + Value string `json:"value"` +} + +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. +type Activity struct { + // A human-readable description of this included activity. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty"` + ExcludeControls []SelectControl `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []SelectControl `json:"include-controls,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type SelectControl struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty"` +} + +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// A single managed inventory item within the system. +type InventoryItem struct { + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Parts []Part `json:"parts"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A partition of a control's definition or a child of another part. +type Part struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined part elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + ID *string `json:"id,omitempty"` + Links []Link `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. +type SystemUser struct { + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title"` +} + +// Provides information about the publication and availability of the containing document. +type PublicationMetadata struct { + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified"` + Links []Link `json:"links,omitempty"` + Locations []Location `json:"locations,omitempty"` + OscalVersion string `json:"oscal-version"` + Parties []PartyOrganizationOrPerson `json:"parties,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title"` + Version string `json:"version"` +} + +// A location, with associated metadata that can be referenced. +type Location struct { + Address Address `json:"address"` + EmailAddresses []string `json:"email-addresses,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + Urls []string `json:"urls,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined location elsewhere in this or other OSCAL instances. The + // locally defined UUID of the location can be used to reference the data item locally or + // globally (e.g., from an importing OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty"` + // Postal or ZIP code for mailing address + PostalCode *string `json:"postal-code,omitempty"` + // State, province or analogous geographical region for mailing address + State *string `json:"state,omitempty"` + // Indicates the type of address. + Type *string `json:"type,omitempty"` +} + +// Contact number by telephone. +type TelephoneNumber struct { + Number string `json:"number"` + // Indicates the type of phone number. + Type *string `json:"type,omitempty"` +} + +// A responsible entity which is either a person or an organization. +type PartyOrganizationOrPerson struct { + Addresses []Address `json:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` + Links []Link `json:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined party elsewhere in this or other OSCAL instances. The locally + // defined UUID of the party can be used to reference the data item locally or globally + // (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID) +type PartyExternalIdentifier struct { + ID string `json:"id"` + // Indicates the type of external identifier. + Scheme string `json:"scheme"` +} + +// An entry in a sequential list of revisions to the containing document in reverse +// chronological order (i.e., most recent previous revision first). +type RevisionHistoryEntry struct { + LastModified *time.Time `json:"last-modified,omitempty"` + Links []Link `json:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` + Version string `json:"version"` +} + +// Defines a function assumed or expected to be assumed by a party in a specific situation. +type Role struct { + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined role elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL + // instance must be referenced in the context of the containing resource (e.g., import, + // import-component-definition, import-profile, import-ssp or import-ap). This ID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ID string `json:"id"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty"` + // The title for this task. + Title string `json:"title"` + // The type of task. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. +type AssociatedActivity struct { + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// Used to indicate that a task is dependent on another task. +type TaskDependency struct { + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// The timing under which the task is intended to occur. +type EventTiming struct { + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` +} + +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit"` +} + +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date"` +} + +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start"` +} + +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty"` +} + +// A partition of an assessment plan or results or a child of another part. +type AssessmentPart struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty"` + Links []Link `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Results []AssessmentResult `json:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty"` + Findings []Finding `json:"findings,omitempty"` + Links []Link `json:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start"` + // The title for this set of results. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries"` +} + +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []Link `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start"` + // The title for this event. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// A set of textual statements, typically written by the assessor. +type AttestationStatements struct { + Parts []AssessmentPart `json:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// Describes an individual finding. +type Finding struct { + // A human-readable description of this finding. + Description string `json:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` + Links []Link `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Target TargetClass `json:"target"` + // The title for this finding. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State string `json:"state"` +} + +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *string `json:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty"` + Links []Link `json:"links,omitempty"` + Methods []string `json:"methods"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty"` + Types []string `json:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement"` + Status string `json:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets"` + Links []Link `json:"links,omitempty"` + Origin FindingOrigin `json:"origin"` + Props []Property `json:"props,omitempty"` +} + +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []Link `json:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System string `json:"system"` + // Indicates the value of the facet. + Value string `json:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle string `json:"lifecycle"` + Links []Link `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries"` +} + +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []Link `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start"` + StatusChange *string `json:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid"` +} + +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty"` + ID string `json:"id"` + // Specifies the source of the threat information. + System string `json:"system"` +} + +// A collection of controls. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Params []Parameter `json:"params,omitempty"` + // A globally unique identifier with cross-instance scope for this catalog instance. This + // UUID should be changed when this document is revised. + UUID string `json:"uuid"` +} + +// A structured information object representing a security or privacy control. Each security +// or privacy control within the Catalog is defined by a distinct control instance. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + // A human-oriented, locally unique identifier with instance scope that can be used to + // reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This + // id should be assigned per-subject, which means it should be consistently used to identify + // the same control across revisions of the document. + ID string `json:"id"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ID string `json:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint + Expression string `json:"expression"` + Remarks *string `json:"remarks,omitempty"` +} + +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose"` +} + +// Presenting a choice among alternatives +type Selection struct { + Choice []string `json:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty"` +} + +// A group of controls, or of groups of controls. +type ControlGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in in this and other OSCAL instances (e.g., + // profiles). This id should be assigned per-subject, which means it should be consistently + // used to identify the same group across revisions of the document. + ID *string `json:"id,omitempty"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component definition elsewhere in this or other OSCAL instances. The + // locally defined UUID of the component definition can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` + Links []Link `json:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this capability elsewhere in this or other OSCAL instances. The locally + // defined UUID of the capability can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a set of implemented controls elsewhere in this or other OSCAL instances. + // The locally defined UUID of the control implementation set can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A suggestion for how the specified control may be implemented if the containing component + // or capability is instantiated in a system security plan. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a specific control implementation elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance).This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id"` + Remarks *string `json:"remarks,omitempty"` + Values []string `json:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// TBD +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Observations []Observation `json:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. +type PoamItemOrigin struct { + Actors []OriginatingActor `json:"actors"` +} + +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *string `json:"identifier-type,omitempty"` +} + +// Each OSCAL profile is defined by a Profile element +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Imports []ImportResource `json:"imports"` + Merge *MergeControls `json:"merge,omitempty"` + Metadata PublicationMetadata `json:"metadata"` + Modify *ModifyControls `json:"modify,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this profile elsewhere in this or other OSCAL instances. The locally defined + // UUID of the profile can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance).This identifier should be assigned per-subject, which means + // it should be consistently used to identify the same profile across revisions of the + // document. + UUID string `json:"uuid"` +} + +// The import designates a catalog or profile to be included (referenced and potentially +// modified) by this profile. The import also identifies which controls to select using the +// include-all, include-controls, and exclude-controls directives. +type ImportResource struct { + ExcludeControls []Call `json:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty"` +} + +// Call a control by its ID +type Call struct { + Matching []MatchControlsByPattern `json:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty"` +} + +// Select controls by (regular expression) match on ID +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty"` +} + +// A Merge element provides structuring directives that drive how controls are organized +// after resolution. +type MergeControls struct { + // An As-is element indicates that the controls should be structured in resolution as they + // are structured in their source catalogs. It does not contain any elements or attributes. + AsIs *bool `json:"as-is,omitempty"` + // A Combine element defines how to combine multiple (competing) versions of the same + // control. + Combine *CombinationRule `json:"combine,omitempty"` + // A Custom element frames a structure for embedding represented controls in resolution. + Custom *CustomGrouping `json:"custom,omitempty"` + // Use the flat structuring method. + Flat *Flat `json:"flat,omitempty"` +} + +// A Combine element defines how to combine multiple (competing) versions of the same +// control. +type CombinationRule struct { + // How clashing controls should be handled + Method *CombinationMethod `json:"method,omitempty"` +} + +// A Custom element frames a structure for embedding represented controls in resolution. +type CustomGrouping struct { + Groups []CustomGroup `json:"groups,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same group across revisions of the + // document. + ID *string `json:"id,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Specifies which controls to use in the containing context. +type SelectControls struct { + ExcludeControls []Call `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty"` +} + +// Use the flat structuring method. +type Flat struct { +} + +// Set parameters or amend controls in resolution +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty"` +} + +// An Alter element specifies changes to be made to an included control when a profile is +// resolved. +type Alteration struct { + Adds []Addition `json:"adds,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Removes []Removal `json:"removes,omitempty"` +} + +// Specifies contents to be added into controls, in resolution +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty"` + Links []Link `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []Part `json:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside it) + Position *Position `json:"position,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty"` + // Identify items to remove by the name of the item's information element name, e.g. title + // or prop + ByItemName *string `json:"by-item-name,omitempty"` + // Identify items to remove by matching their assigned name + ByName *string `json:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion +type ParameterSetting struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []Link `json:"links,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ParamID string `json:"param-id"` + Props []Property `json:"props,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18 +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile"` + Metadata PublicationMetadata `json:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` +} + +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description"` + Links []Link `json:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel string `json:"security-sensitivity-level"` + Status SystemCharacteristicsStatus `json:"status"` + SystemIDS []SystemIdentification `json:"system-ids"` + SystemInformation SystemInformation `json:"system-information"` + // The full name of the system. + SystemName string `json:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. +type AuthorizationBoundary struct { + // A summary of the system's authorization boundary. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. +type DataFlow struct { + // A summary of the system's data flow. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. +type NetworkArchitecture struct { + // A summary of the system's network architecture. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. +type SecurityImpactLevel struct { + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. +type SystemInformation struct { + InformationTypes []InformationType `json:"information-types"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` +} + +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + // The expected level of impact resulting from the disruption of access to or use of the + // described information or the information system. + AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` + // The expected level of impact resulting from the unauthorized disclosure of the described + // information. + ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact"` + // A summary of how this information type is used within the system. + Description string `json:"description"` + // The expected level of impact resulting from the unauthorized modification of the + // described information. + IntegrityImpact IntegrityImpactLevel `json:"integrity-impact"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// The expected level of impact resulting from the disruption of access to or use of the +// described information or the information system. +type AvailabilityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System string `json:"system"` +} + +// The expected level of impact resulting from the unauthorized disclosure of the described +// information. +type ConfidentialityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// The expected level of impact resulting from the unauthorized modification of the +// described information. +type IntegrityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` + Links []Link `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized"` + Links []Link `json:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Indicates the transport type. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) + +// The operational status. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) + +// A category describing the kind of party the object describes. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// Method by which a hash is derived +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) + +// The unit of time for the period. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// Method by which a hash is derived +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) + +// The kind of actor. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ActorType string + +const ( + AssessmentPlatform ActorType = "assessment-platform" + Party ActorType = "party" + Tool ActorType = "tool" +) + +// An indication as to whether the objective is satisfied or not. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) + +// Identifies the type of the target. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// Method by which a hash is derived +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) + +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) + +// When a control is included, whether its child (dependent) controls are also included. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) + +// How clashing controls should be handled +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// Method by which a hash is derived +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) + +// A designation of how a selection of controls in a profile is to be ordered. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) + +// Where to add the new content with respect to the targeted element (beside it or inside +// it) +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) + +// The current operating status. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// Method by which a hash is derived +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) diff --git a/src/types/quicktype/oscal-1-1-0/types.go b/src/types/quicktype/oscal-1-1-0/types.go new file mode 100644 index 00000000..9b77faad --- /dev/null +++ b/src/types/quicktype/oscal-1-1-0/types.go @@ -0,0 +1,3754 @@ +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() + +package oscalTypes_1_1_0 + +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Schema *string `json:"$schema,omitempty"` + Catalog *Catalog `json:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. +type AssessmentAssets struct { + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A reference to a local or remote resource, that has a specific relation to the containing +// object. +type LinkElement struct { + // A resolvable URL reference to a resource. + Href string `json:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty"` + // Describes the type of relationship provided by the link's hypertext reference. This can + // be an indicator of the link's purpose. + Rel *string `json:"rel,omitempty"` + // In case where the href points to a back-matter/resource, this value will indicate the URI + // fragment to append to any rlink associated with the resource. This value MUST be URI + // encoded. + ResourceFragment *string `json:"resource-fragment,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. + Class *string `json:"class,omitempty"` + // An identifier for relating distinct sets of properties. + Group *string `json:"group,omitempty"` + // A textual label, within a namespace, that uniquely identifies a specific attribute, + // characteristic, or quality of the property's containing object. + Name string `json:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A unique identifier for a property. + UUID *string `json:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A reference to a set of persons and/or organizations that have responsibility for +// performing the referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []LinkElement `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A reference to a role performed by a party. + RoleID string `json:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status"` + // A human readable name for the system component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty"` +} + +// A reference to a role with responsibility for performing a function relative to the +// containing object, optionally associated with a set of persons and/or organizations that +// perform that role. +type ResponsibleRole struct { + Links []LinkElement `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human-oriented identifier reference to a role performed. + RoleID string `json:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type string `json:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources that may be referenced from within the OSCAL document instance. +type BackMatter struct { + Resources []Resource `json:"resources,omitempty"` +} + +// A resource associated with content in the containing document instance. A resource may be +// directly included in the document using base64 encoding or may point to one or more +// equivalent internet resources. +type Resource struct { + // A resource encoded using the Base64 alphabet defined by RFC 2045. + Base64 *Base64 `json:"base64,omitempty"` + // An optional citation consisting of end note text using structured markup. + Citation *Citation `json:"citation,omitempty"` + // An optional short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty"` + // An optional name given to the resource, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` + // A unique identifier for a resource. + UUID string `json:"uuid"` +} + +// A resource encoded using the Base64 alphabet defined by RFC 2045. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty"` + Value string `json:"value"` +} + +// An optional citation consisting of end note text using structured markup. +type Citation struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A line of citation text. + Text string `json:"text"` +} + +// A document identifier qualified by an identifier scheme. +type DocumentIdentifier struct { + Identifier string `json:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *string `json:"scheme,omitempty"` +} + +// A URL-based pointer to an external resource with an optional hash for verification and +// change detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty"` + // A resolvable URL pointing to the referenced resource. + Href string `json:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty"` +} + +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // The digest method by which a hash is derived. + Algorithm string `json:"algorithm"` + Value string `json:"value"` +} + +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. +type Activity struct { + // A human-readable description of this included activity. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty"` + ExcludeControls []ControlSelectionExcludeControl `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []ControlSelectionExcludeControl `json:"include-controls,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type ControlSelectionExcludeControl struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty"` +} + +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// A single managed inventory item within the system. +type InventoryItem struct { + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Parts []PartElement `json:"parts"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// An annotated, markup-based textual element of a control's or catalog group's definition, +// or a child of another part. +type PartElement struct { + // An optional textual providing a sub-type or characterization of the part's name, or a + // category to which the part belongs. + Class *string `json:"class,omitempty"` + // A unique identifier for the part. + ID *string `json:"id,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type, which exists in a + // value space qualified by the ns. + Name string `json:"name"` + // An optional namespace qualifying the part's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // An optional name given to the part, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. +type SystemUser struct { + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title"` +} + +// Provides information about the containing document, and defines concepts that are shared +// across the document. +type DocumentMetadata struct { + Actions []Action `json:"actions,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified"` + Links []LinkElement `json:"links,omitempty"` + Locations []Location `json:"locations,omitempty"` + OscalVersion string `json:"oscal-version"` + Parties []PartyElement `json:"parties,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title"` + Version string `json:"version"` +} + +// An action applied by a role within a given party to the content. +type Action struct { + // The date and time when the action occurred. + Date *time.Time `json:"date,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + // Specifies the action type system used. + System string `json:"system"` + // The type of action documented by the assembly, such as an approval. + Type string `json:"type"` + // A unique identifier that can be used to reference this defined action elsewhere in an + // OSCAL document. A UUID should be consistently used for a given location across revisions + // of the document. + UUID string `json:"uuid"` +} + +// A physical point of presence, which may be associated with people, organizations, or +// other concepts within the current or linked OSCAL document. +type Location struct { + Address *Address `json:"address,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + Urls []string `json:"urls,omitempty"` + // A unique ID for the location, for reference. + UUID string `json:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty"` + // Postal or ZIP code for mailing address. + PostalCode *string `json:"postal-code,omitempty"` + // State, province or analogous geographical region for a mailing address. + State *string `json:"state,omitempty"` + // Indicates the type of address. + Type *string `json:"type,omitempty"` +} + +// A telephone service number as defined by ITU-T E.164. +type TelephoneNumber struct { + Number string `json:"number"` + // Indicates the type of phone number. + Type *string `json:"type,omitempty"` +} + +// An organization or person, which may be associated with roles or other concepts within +// the current or linked OSCAL document. +type PartyElement struct { + Addresses []Address `json:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` + Links []LinkElement `json:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type"` + // A unique identifier for the party. + UUID string `json:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID). +type PartyExternalIdentifier struct { + ID string `json:"id"` + // Indicates the type of external identifier. + Scheme string `json:"scheme"` +} + +// An entry in a sequential list of revisions to the containing document, expected to be in +// reverse chronological order (i.e. latest first). +type RevisionHistoryEntry struct { + LastModified *time.Time `json:"last-modified,omitempty"` + Links []LinkElement `json:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` + Version string `json:"version"` +} + +// Defines a function, which might be assigned to a party in a specific situation. +type Role struct { + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty"` + // A unique identifier for the role. + ID string `json:"id"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty"` + // The title for this task. + Title string `json:"title"` + // The type of task. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. +type AssociatedActivity struct { + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// Used to indicate that a task is dependent on another task. +type TaskDependency struct { + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// The timing under which the task is intended to occur. +type EventTiming struct { + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` +} + +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit"` +} + +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date"` +} + +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start"` +} + +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty"` +} + +// A partition of an assessment plan or results or a child of another part. +type AssessmentPart struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Results []AssessmentResult `json:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty"` + Findings []Finding `json:"findings,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start"` + // The title for this set of results. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries"` +} + +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []LinkElement `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start"` + // The title for this event. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// A set of textual statements, typically written by the assessor. +type AttestationStatements struct { + Parts []AssessmentPart `json:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// Describes an individual finding. +type Finding struct { + // A human-readable description of this finding. + Description string `json:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Target TargetClass `json:"target"` + // The title for this finding. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State string `json:"state"` +} + +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *string `json:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Methods []string `json:"methods"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty"` + Types []string `json:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement"` + Status string `json:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets"` + Links []LinkElement `json:"links,omitempty"` + Origin FindingOrigin `json:"origin"` + Props []Property `json:"props,omitempty"` +} + +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []LinkElement `json:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System string `json:"system"` + // Indicates the value of the facet. + Value string `json:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle string `json:"lifecycle"` + Links []LinkElement `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries"` +} + +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []LinkElement `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start"` + StatusChange *string `json:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid"` +} + +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty"` + ID string `json:"id"` + // Specifies the source of the threat information. + System string `json:"system"` +} + +// A structured, organized collection of control information. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Params []Parameter `json:"params,omitempty"` + // Provides a globally unique means to identify a given catalog instance. + UUID string `json:"uuid"` +} + +// A structured object representing a requirement or guideline, which when implemented will +// reduce an aspect of risk related to an information system and its information. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + // Identifies a control such that it can be referenced in the defining catalog and other + // OSCAL instances (e.g., profiles). + ID string `json:"id"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the type, purpose, use or scope of + // the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // (deprecated) Another parameter invoking this one. This construct has been deprecated and + // should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A unique identifier for the parameter. + ID string `json:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test. +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint. + Expression string `json:"expression"` + Remarks *string `json:"remarks,omitempty"` +} + +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose"` +} + +// Presenting a choice among alternatives. +type Selection struct { + Choice []string `json:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty"` +} + +// A group of controls, or of groups of controls. +type CatalogGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty"` + // Identifies the group for the purpose of cross-linking within the defining instance or + // from other instances that reference the catalog. + ID *string `json:"id,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + // Provides a globally unique means to identify a given component definition instance. + UUID string `json:"uuid"` +} + +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Provides a globally unique means to identify a given capability. + UUID string `json:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source"` + // Provides a means to identify a set of control implementations that are supported by a + // given component or capability. + UUID string `json:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A suggestion from the supplier (e.g., component vendor or author) for how the specified + // control may be implemented if the containing component or capability is instantiated in a + // system security plan. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty"` + // Provides a globally unique means to identify a given control implementation by a + // component. + UUID string `json:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id"` + Remarks *string `json:"remarks,omitempty"` + Values []string `json:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// The collection of components comprising this capability. +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type string `json:"type"` + // Provides a globally unique means to identify a given component. + UUID string `json:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Findings []Finding `json:"findings,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Observations []Observation `json:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedFindings []RelatedFinding `json:"related-findings,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. +type PoamItemOrigin struct { + Actors []OriginatingActor `json:"actors"` +} + +// Relates the poam-item to referenced finding(s). +type RelatedFinding struct { + // A machine-oriented identifier reference to a finding defined in the list of findings. + FindingUUID string `json:"finding-uuid"` +} + +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *string `json:"identifier-type,omitempty"` +} + +// Each OSCAL profile is defined by a profile element. +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Imports []ImportResource `json:"imports"` + Merge *MergeControls `json:"merge,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Modify *ModifyControls `json:"modify,omitempty"` + // Provides a globally unique means to identify a given profile instance. + UUID string `json:"uuid"` +} + +// Designates a referenced source catalog or profile that provides a source of control +// information for use in creating a new overlay or baseline. +type ImportResource struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` +} + +// Select a control or controls from an imported control set. +type ImportExcludeControl struct { + Matching []MatchControlsByPattern `json:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty"` +} + +// Selecting a set of controls by matching their IDs with a wildcard pattern. +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty"` +} + +// Provides structuring directives that instruct how controls are organized after profile +// resolution. +type MergeControls struct { + // Indicates that the controls selected should retain their original grouping as defined in + // the import source. + AsIs *bool `json:"as-is,omitempty"` + // A Combine element defines how to resolve duplicate instances of the same control (e.g., + // controls with the same ID). + Combine *CombinationRule `json:"combine,omitempty"` + // Provides an alternate grouping structure that selected controls will be placed in. + Custom *CustomGrouping `json:"custom,omitempty"` + // Directs that controls appear without any grouping structure. + Flat *FlatWithoutGrouping `json:"flat,omitempty"` +} + +// A Combine element defines how to resolve duplicate instances of the same control (e.g., +// controls with the same ID). +type CombinationRule struct { + // Declare how clashing controls should be handled. + Method *CombinationMethod `json:"method,omitempty"` +} + +// Provides an alternate grouping structure that selected controls will be placed in. +type CustomGrouping struct { + Groups []CustomGroup `json:"groups,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls. +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty"` + // Identifies the group. + ID *string `json:"id,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name to be given to the group for use in display. + Title string `json:"title"` +} + +// Specifies which controls to use in the containing context. +type InsertControls struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty"` +} + +// Directs that controls appear without any grouping structure. +type FlatWithoutGrouping struct { +} + +// Set parameters or amend controls in resolution. +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty"` +} + +// Specifies changes to be made to an included control when a profile is resolved. +type Alteration struct { + Adds []Addition `json:"adds,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Removes []Removal `json:"removes,omitempty"` +} + +// Specifies contents to be added into controls, in resolution. +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside + // it). + Position *Position `json:"position,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty"` + // Identify items to remove by the name of the item's information object name, e.g. title or + // prop. + ByItemName *ItemNameReference `json:"by-item-name,omitempty"` + // Identify items remove by matching their assigned name. + ByName *string `json:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion. +type ParameterSetting struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // An identifier for the parameter. + ParamID string `json:"param-id"` + Props []Property `json:"props,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18. +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile"` + Metadata DocumentMetadata `json:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` +} + +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel *string `json:"security-sensitivity-level,omitempty"` + Status SystemCharacteristicsStatus `json:"status"` + SystemIDS []SystemIdentification `json:"system-ids"` + SystemInformation SystemInformation `json:"system-information"` + // The full name of the system. + SystemName string `json:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. +type AuthorizationBoundary struct { + // A summary of the system's authorization boundary. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. +type DataFlow struct { + // A summary of the system's data flow. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. +type NetworkArchitecture struct { + // A summary of the system's network architecture. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. +type SecurityImpactLevel struct { + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. +type SystemInformation struct { + InformationTypes []InformationType `json:"information-types"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` +} + +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + AvailabilityImpact *ImpactLevel `json:"availability-impact,omitempty"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` + ConfidentialityImpact *ImpactLevel `json:"confidentiality-impact,omitempty"` + // A summary of how this information type is used within the system. + Description string `json:"description"` + IntegrityImpact *ImpactLevel `json:"integrity-impact,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// The expected level of impact resulting from the described information. +type ImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System string `json:"system"` +} + +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized"` + Links []LinkElement `json:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Indicates the transport type. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) + +// The operational status. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) + +// A category describing the kind of party the object describes. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) + +// The unit of time for the period. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) + +// The kind of actor. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ActorType string + +const ( + AssessmentPlatform ActorType = "assessment-platform" + Party ActorType = "party" + Tool ActorType = "tool" +) + +// An indication as to whether the objective is satisfied or not. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) + +// Identifies the type of the target. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) + +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) + +// When a control is included, whether its child (dependent) controls are also included. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) + +// Declare how clashing controls should be handled. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) + +// A designation of how a selection of controls in a profile is to be ordered. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) + +// Where to add the new content with respect to the targeted element (beside it or inside +// it). +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) + +// Identify items to remove by the name of the item's information object name, e.g. title or +// prop. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ItemNameReference string + +const ( + Link ItemNameReference = "link" + Map ItemNameReference = "map" + Mapping ItemNameReference = "mapping" + Param ItemNameReference = "param" + Part ItemNameReference = "part" + Prop ItemNameReference = "prop" +) + +// The current operating status. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) diff --git a/src/types/quicktype/oscal-1-1-1/types.go b/src/types/quicktype/oscal-1-1-1/types.go new file mode 100644 index 00000000..f8cfb373 --- /dev/null +++ b/src/types/quicktype/oscal-1-1-1/types.go @@ -0,0 +1,3754 @@ +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() + +package oscalTypes_1_1_1 + +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Schema *string `json:"$schema,omitempty"` + Catalog *Catalog `json:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. +type AssessmentAssets struct { + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A reference to a local or remote resource, that has a specific relation to the containing +// object. +type LinkElement struct { + // A resolvable URL reference to a resource. + Href string `json:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty"` + // Describes the type of relationship provided by the link's hypertext reference. This can + // be an indicator of the link's purpose. + Rel *string `json:"rel,omitempty"` + // In case where the href points to a back-matter/resource, this value will indicate the URI + // fragment to append to any rlink associated with the resource. This value MUST be URI + // encoded. + ResourceFragment *string `json:"resource-fragment,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. + Class *string `json:"class,omitempty"` + // An identifier for relating distinct sets of properties. + Group *string `json:"group,omitempty"` + // A textual label, within a namespace, that uniquely identifies a specific attribute, + // characteristic, or quality of the property's containing object. + Name string `json:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A unique identifier for a property. + UUID *string `json:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A reference to a set of persons and/or organizations that have responsibility for +// performing the referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []LinkElement `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A reference to a role performed by a party. + RoleID string `json:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status"` + // A human readable name for the system component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty"` +} + +// A reference to a role with responsibility for performing a function relative to the +// containing object, optionally associated with a set of persons and/or organizations that +// perform that role. +type ResponsibleRole struct { + Links []LinkElement `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human-oriented identifier reference to a role performed. + RoleID string `json:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type string `json:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources that may be referenced from within the OSCAL document instance. +type BackMatter struct { + Resources []Resource `json:"resources,omitempty"` +} + +// A resource associated with content in the containing document instance. A resource may be +// directly included in the document using base64 encoding or may point to one or more +// equivalent internet resources. +type Resource struct { + // A resource encoded using the Base64 alphabet defined by RFC 2045. + Base64 *Base64 `json:"base64,omitempty"` + // An optional citation consisting of end note text using structured markup. + Citation *Citation `json:"citation,omitempty"` + // An optional short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty"` + // An optional name given to the resource, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` + // A unique identifier for a resource. + UUID string `json:"uuid"` +} + +// A resource encoded using the Base64 alphabet defined by RFC 2045. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty"` + Value string `json:"value"` +} + +// An optional citation consisting of end note text using structured markup. +type Citation struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A line of citation text. + Text string `json:"text"` +} + +// A document identifier qualified by an identifier scheme. +type DocumentIdentifier struct { + Identifier string `json:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *string `json:"scheme,omitempty"` +} + +// A URL-based pointer to an external resource with an optional hash for verification and +// change detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty"` + // A resolvable URL pointing to the referenced resource. + Href string `json:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty"` +} + +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // The digest method by which a hash is derived. + Algorithm string `json:"algorithm"` + Value string `json:"value"` +} + +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. +type Activity struct { + // A human-readable description of this included activity. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty"` + ExcludeControls []ControlSelectionExcludeControl `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []ControlSelectionExcludeControl `json:"include-controls,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type ControlSelectionExcludeControl struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty"` +} + +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// A single managed inventory item within the system. +type InventoryItem struct { + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Parts []PartElement `json:"parts"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// An annotated, markup-based textual element of a control's or catalog group's definition, +// or a child of another part. +type PartElement struct { + // An optional textual providing a sub-type or characterization of the part's name, or a + // category to which the part belongs. + Class *string `json:"class,omitempty"` + // A unique identifier for the part. + ID *string `json:"id,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type, which exists in a + // value space qualified by the ns. + Name string `json:"name"` + // An optional namespace qualifying the part's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // An optional name given to the part, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. +type SystemUser struct { + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title"` +} + +// Provides information about the containing document, and defines concepts that are shared +// across the document. +type DocumentMetadata struct { + Actions []Action `json:"actions,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified"` + Links []LinkElement `json:"links,omitempty"` + Locations []Location `json:"locations,omitempty"` + OscalVersion string `json:"oscal-version"` + Parties []PartyElement `json:"parties,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title"` + Version string `json:"version"` +} + +// An action applied by a role within a given party to the content. +type Action struct { + // The date and time when the action occurred. + Date *time.Time `json:"date,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + // Specifies the action type system used. + System string `json:"system"` + // The type of action documented by the assembly, such as an approval. + Type string `json:"type"` + // A unique identifier that can be used to reference this defined action elsewhere in an + // OSCAL document. A UUID should be consistently used for a given location across revisions + // of the document. + UUID string `json:"uuid"` +} + +// A physical point of presence, which may be associated with people, organizations, or +// other concepts within the current or linked OSCAL document. +type Location struct { + Address *Address `json:"address,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + Urls []string `json:"urls,omitempty"` + // A unique ID for the location, for reference. + UUID string `json:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty"` + // Postal or ZIP code for mailing address. + PostalCode *string `json:"postal-code,omitempty"` + // State, province or analogous geographical region for a mailing address. + State *string `json:"state,omitempty"` + // Indicates the type of address. + Type *string `json:"type,omitempty"` +} + +// A telephone service number as defined by ITU-T E.164. +type TelephoneNumber struct { + Number string `json:"number"` + // Indicates the type of phone number. + Type *string `json:"type,omitempty"` +} + +// An organization or person, which may be associated with roles or other concepts within +// the current or linked OSCAL document. +type PartyElement struct { + Addresses []Address `json:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` + Links []LinkElement `json:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type"` + // A unique identifier for the party. + UUID string `json:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID). +type PartyExternalIdentifier struct { + ID string `json:"id"` + // Indicates the type of external identifier. + Scheme string `json:"scheme"` +} + +// An entry in a sequential list of revisions to the containing document, expected to be in +// reverse chronological order (i.e. latest first). +type RevisionHistoryEntry struct { + LastModified *time.Time `json:"last-modified,omitempty"` + Links []LinkElement `json:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` + Version string `json:"version"` +} + +// Defines a function, which might be assigned to a party in a specific situation. +type Role struct { + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty"` + // A unique identifier for the role. + ID string `json:"id"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty"` + // The title for this task. + Title string `json:"title"` + // The type of task. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. +type AssociatedActivity struct { + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// Used to indicate that a task is dependent on another task. +type TaskDependency struct { + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// The timing under which the task is intended to occur. +type EventTiming struct { + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` +} + +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit"` +} + +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date"` +} + +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start"` +} + +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty"` +} + +// A partition of an assessment plan or results or a child of another part. +type AssessmentPart struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Results []AssessmentResult `json:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty"` + Findings []Finding `json:"findings,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start"` + // The title for this set of results. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries"` +} + +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []LinkElement `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start"` + // The title for this event. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// A set of textual statements, typically written by the assessor. +type AttestationStatements struct { + Parts []AssessmentPart `json:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// Describes an individual finding. +type Finding struct { + // A human-readable description of this finding. + Description string `json:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Target TargetClass `json:"target"` + // The title for this finding. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State string `json:"state"` +} + +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *string `json:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Methods []string `json:"methods"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty"` + Types []string `json:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement"` + Status string `json:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets"` + Links []LinkElement `json:"links,omitempty"` + Origin FindingOrigin `json:"origin"` + Props []Property `json:"props,omitempty"` +} + +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []LinkElement `json:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System string `json:"system"` + // Indicates the value of the facet. + Value string `json:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle string `json:"lifecycle"` + Links []LinkElement `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries"` +} + +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []LinkElement `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start"` + StatusChange *string `json:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid"` +} + +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty"` + ID string `json:"id"` + // Specifies the source of the threat information. + System string `json:"system"` +} + +// A structured, organized collection of control information. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Params []Parameter `json:"params,omitempty"` + // Provides a globally unique means to identify a given catalog instance. + UUID string `json:"uuid"` +} + +// A structured object representing a requirement or guideline, which when implemented will +// reduce an aspect of risk related to an information system and its information. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + // Identifies a control such that it can be referenced in the defining catalog and other + // OSCAL instances (e.g., profiles). + ID string `json:"id"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the type, purpose, use or scope of + // the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // (deprecated) Another parameter invoking this one. This construct has been deprecated and + // should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A unique identifier for the parameter. + ID string `json:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test. +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint. + Expression string `json:"expression"` + Remarks *string `json:"remarks,omitempty"` +} + +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose"` +} + +// Presenting a choice among alternatives. +type Selection struct { + Choice []string `json:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty"` +} + +// A group of controls, or of groups of controls. +type CatalogGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty"` + // Identifies the group for the purpose of cross-linking within the defining instance or + // from other instances that reference the catalog. + ID *string `json:"id,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + // Provides a globally unique means to identify a given component definition instance. + UUID string `json:"uuid"` +} + +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Provides a globally unique means to identify a given capability. + UUID string `json:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source"` + // Provides a means to identify a set of control implementations that are supported by a + // given component or capability. + UUID string `json:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A suggestion from the supplier (e.g., component vendor or author) for how the specified + // control may be implemented if the containing component or capability is instantiated in a + // system security plan. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty"` + // Provides a globally unique means to identify a given control implementation by a + // component. + UUID string `json:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id"` + Remarks *string `json:"remarks,omitempty"` + Values []string `json:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// The collection of components comprising this capability. +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type string `json:"type"` + // Provides a globally unique means to identify a given component. + UUID string `json:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Findings []Finding `json:"findings,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Observations []Observation `json:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedFindings []RelatedFinding `json:"related-findings,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. +type PoamItemOrigin struct { + Actors []OriginatingActor `json:"actors"` +} + +// Relates the poam-item to referenced finding(s). +type RelatedFinding struct { + // A machine-oriented identifier reference to a finding defined in the list of findings. + FindingUUID string `json:"finding-uuid"` +} + +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *string `json:"identifier-type,omitempty"` +} + +// Each OSCAL profile is defined by a profile element. +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Imports []ImportResource `json:"imports"` + Merge *MergeControls `json:"merge,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Modify *ModifyControls `json:"modify,omitempty"` + // Provides a globally unique means to identify a given profile instance. + UUID string `json:"uuid"` +} + +// Designates a referenced source catalog or profile that provides a source of control +// information for use in creating a new overlay or baseline. +type ImportResource struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` +} + +// Select a control or controls from an imported control set. +type ImportExcludeControl struct { + Matching []MatchControlsByPattern `json:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty"` +} + +// Selecting a set of controls by matching their IDs with a wildcard pattern. +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty"` +} + +// Provides structuring directives that instruct how controls are organized after profile +// resolution. +type MergeControls struct { + // Indicates that the controls selected should retain their original grouping as defined in + // the import source. + AsIs *bool `json:"as-is,omitempty"` + // A Combine element defines how to resolve duplicate instances of the same control (e.g., + // controls with the same ID). + Combine *CombinationRule `json:"combine,omitempty"` + // Provides an alternate grouping structure that selected controls will be placed in. + Custom *CustomGrouping `json:"custom,omitempty"` + // Directs that controls appear without any grouping structure. + Flat *FlatWithoutGrouping `json:"flat,omitempty"` +} + +// A Combine element defines how to resolve duplicate instances of the same control (e.g., +// controls with the same ID). +type CombinationRule struct { + // Declare how clashing controls should be handled. + Method *CombinationMethod `json:"method,omitempty"` +} + +// Provides an alternate grouping structure that selected controls will be placed in. +type CustomGrouping struct { + Groups []CustomGroup `json:"groups,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls. +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty"` + // Identifies the group. + ID *string `json:"id,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name to be given to the group for use in display. + Title string `json:"title"` +} + +// Specifies which controls to use in the containing context. +type InsertControls struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty"` +} + +// Directs that controls appear without any grouping structure. +type FlatWithoutGrouping struct { +} + +// Set parameters or amend controls in resolution. +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty"` +} + +// Specifies changes to be made to an included control when a profile is resolved. +type Alteration struct { + Adds []Addition `json:"adds,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Removes []Removal `json:"removes,omitempty"` +} + +// Specifies contents to be added into controls, in resolution. +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside + // it). + Position *Position `json:"position,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty"` + // Identify items to remove by the name of the item's information object name, e.g. title or + // prop. + ByItemName *ItemNameReference `json:"by-item-name,omitempty"` + // Identify items remove by matching their assigned name. + ByName *string `json:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion. +type ParameterSetting struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // An identifier for the parameter. + ParamID string `json:"param-id"` + Props []Property `json:"props,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18. +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile"` + Metadata DocumentMetadata `json:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` +} + +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel *string `json:"security-sensitivity-level,omitempty"` + Status SystemCharacteristicsStatus `json:"status"` + SystemIDS []SystemIdentification `json:"system-ids"` + SystemInformation SystemInformation `json:"system-information"` + // The full name of the system. + SystemName string `json:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. +type AuthorizationBoundary struct { + // A summary of the system's authorization boundary. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. +type DataFlow struct { + // A summary of the system's data flow. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. +type NetworkArchitecture struct { + // A summary of the system's network architecture. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. +type SecurityImpactLevel struct { + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. +type SystemInformation struct { + InformationTypes []InformationType `json:"information-types"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` +} + +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + AvailabilityImpact *ImpactLevel `json:"availability-impact,omitempty"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` + ConfidentialityImpact *ImpactLevel `json:"confidentiality-impact,omitempty"` + // A summary of how this information type is used within the system. + Description string `json:"description"` + IntegrityImpact *ImpactLevel `json:"integrity-impact,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// The expected level of impact resulting from the described information. +type ImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System string `json:"system"` +} + +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized"` + Links []LinkElement `json:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Indicates the transport type. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) + +// The operational status. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) + +// A category describing the kind of party the object describes. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) + +// The unit of time for the period. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) + +// The kind of actor. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ActorType string + +const ( + AssessmentPlatform ActorType = "assessment-platform" + Party ActorType = "party" + Tool ActorType = "tool" +) + +// An indication as to whether the objective is satisfied or not. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) + +// Identifies the type of the target. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) + +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) + +// When a control is included, whether its child (dependent) controls are also included. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) + +// Declare how clashing controls should be handled. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) + +// A designation of how a selection of controls in a profile is to be ordered. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) + +// Where to add the new content with respect to the targeted element (beside it or inside +// it). +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) + +// Identify items to remove by the name of the item's information object name, e.g. title or +// prop. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ItemNameReference string + +const ( + Link ItemNameReference = "link" + Map ItemNameReference = "map" + Mapping ItemNameReference = "mapping" + Param ItemNameReference = "param" + Part ItemNameReference = "part" + Prop ItemNameReference = "prop" +) + +// The current operating status. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) diff --git a/src/types/quicktype/oscal-1-1-2/types.go b/src/types/quicktype/oscal-1-1-2/types.go new file mode 100644 index 00000000..b50677fb --- /dev/null +++ b/src/types/quicktype/oscal-1-1-2/types.go @@ -0,0 +1,3754 @@ +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() + +package oscalTypes_1_1_2 + +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Schema *string `json:"$schema,omitempty"` + Catalog *Catalog `json:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. +type AssessmentAssets struct { + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// A reference to a local or remote resource, that has a specific relation to the containing +// object. +type LinkElement struct { + // A resolvable URL reference to a resource. + Href string `json:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty"` + // Describes the type of relationship provided by the link's hypertext reference. This can + // be an indicator of the link's purpose. + Rel *string `json:"rel,omitempty"` + // In case where the href points to a back-matter/resource, this value will indicate the URI + // fragment to append to any rlink associated with the resource. This value MUST be URI + // encoded. + ResourceFragment *string `json:"resource-fragment,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. + Class *string `json:"class,omitempty"` + // An identifier for relating distinct sets of properties. + Group *string `json:"group,omitempty"` + // A textual label, within a namespace, that uniquely identifies a specific attribute, + // characteristic, or quality of the property's containing object. + Name string `json:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A unique identifier for a property. + UUID *string `json:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A reference to a set of persons and/or organizations that have responsibility for +// performing the referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []LinkElement `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A reference to a role performed by a party. + RoleID string `json:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status"` + // A human readable name for the system component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty"` +} + +// A reference to a role with responsibility for performing a function relative to the +// containing object, optionally associated with a set of persons and/or organizations that +// perform that role. +type ResponsibleRole struct { + Links []LinkElement `json:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human-oriented identifier reference to a role performed. + RoleID string `json:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type string `json:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources that may be referenced from within the OSCAL document instance. +type BackMatter struct { + Resources []Resource `json:"resources,omitempty"` +} + +// A resource associated with content in the containing document instance. A resource may be +// directly included in the document using base64 encoding or may point to one or more +// equivalent internet resources. +type Resource struct { + // A resource encoded using the Base64 alphabet defined by RFC 2045. + Base64 *Base64 `json:"base64,omitempty"` + // An optional citation consisting of end note text using structured markup. + Citation *Citation `json:"citation,omitempty"` + // An optional short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty"` + // An optional name given to the resource, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` + // A unique identifier for a resource. + UUID string `json:"uuid"` +} + +// A resource encoded using the Base64 alphabet defined by RFC 2045. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty"` + Value string `json:"value"` +} + +// An optional citation consisting of end note text using structured markup. +type Citation struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A line of citation text. + Text string `json:"text"` +} + +// A document identifier qualified by an identifier scheme. +type DocumentIdentifier struct { + Identifier string `json:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *string `json:"scheme,omitempty"` +} + +// A URL-based pointer to an external resource with an optional hash for verification and +// change detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty"` + // A resolvable URL pointing to the referenced resource. + Href string `json:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty"` +} + +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // The digest method by which a hash is derived. + Algorithm string `json:"algorithm"` + Value string `json:"value"` +} + +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. +type Activity struct { + // A human-readable description of this included activity. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty"` + ExcludeControls []ControlSelectionExcludeControl `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []ControlSelectionExcludeControl `json:"include-controls,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type ControlSelectionExcludeControl struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty"` +} + +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// A single managed inventory item within the system. +type InventoryItem struct { + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Parts []PartElement `json:"parts"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// An annotated, markup-based textual element of a control's or catalog group's definition, +// or a child of another part. +type PartElement struct { + // An optional textual providing a sub-type or characterization of the part's name, or a + // category to which the part belongs. + Class *string `json:"class,omitempty"` + // A unique identifier for the part. + ID *string `json:"id,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type, which exists in a + // value space qualified by the ns. + Name string `json:"name"` + // An optional namespace qualifying the part's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // An optional name given to the part, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. +type SystemUser struct { + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title"` +} + +// Provides information about the containing document, and defines concepts that are shared +// across the document. +type DocumentMetadata struct { + Actions []Action `json:"actions,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified"` + Links []LinkElement `json:"links,omitempty"` + Locations []Location `json:"locations,omitempty"` + OscalVersion string `json:"oscal-version"` + Parties []PartyElement `json:"parties,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title"` + Version string `json:"version"` +} + +// An action applied by a role within a given party to the content. +type Action struct { + // The date and time when the action occurred. + Date *time.Time `json:"date,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + // Specifies the action type system used. + System string `json:"system"` + // The type of action documented by the assembly, such as an approval. + Type string `json:"type"` + // A unique identifier that can be used to reference this defined action elsewhere in an + // OSCAL document. A UUID should be consistently used for a given location across revisions + // of the document. + UUID string `json:"uuid"` +} + +// A physical point of presence, which may be associated with people, organizations, or +// other concepts within the current or linked OSCAL document. +type Location struct { + Address *Address `json:"address,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + Urls []string `json:"urls,omitempty"` + // A unique ID for the location, for reference. + UUID string `json:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty"` + // Postal or ZIP code for mailing address. + PostalCode *string `json:"postal-code,omitempty"` + // State, province or analogous geographical region for a mailing address. + State *string `json:"state,omitempty"` + // Indicates the type of address. + Type *string `json:"type,omitempty"` +} + +// A telephone service number as defined by ITU-T E.164. +type TelephoneNumber struct { + Number string `json:"number"` + // Indicates the type of phone number. + Type *string `json:"type,omitempty"` +} + +// An organization or person, which may be associated with roles or other concepts within +// the current or linked OSCAL document. +type PartyElement struct { + Addresses []Address `json:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` + Links []LinkElement `json:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type"` + // A unique identifier for the party. + UUID string `json:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID). +type PartyExternalIdentifier struct { + ID string `json:"id"` + // Indicates the type of external identifier. + Scheme string `json:"scheme"` +} + +// An entry in a sequential list of revisions to the containing document, expected to be in +// reverse chronological order (i.e. latest first). +type RevisionHistoryEntry struct { + LastModified *time.Time `json:"last-modified,omitempty"` + Links []LinkElement `json:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty"` + Published *time.Time `json:"published,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty"` + Version string `json:"version"` +} + +// Defines a function, which might be assigned to a party in a specific situation. +type Role struct { + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty"` + // A unique identifier for the role. + ID string `json:"id"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty"` + // The title for this task. + Title string `json:"title"` + // The type of task. + Type string `json:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. +type AssociatedActivity struct { + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// Used to indicate that a task is dependent on another task. +type TaskDependency struct { + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// The timing under which the task is intended to occur. +type EventTiming struct { + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` +} + +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit"` +} + +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date"` +} + +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start"` +} + +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty"` +} + +// A partition of an assessment plan or results or a child of another part. +type AssessmentPart struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Results []AssessmentResult `json:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty"` + Findings []Finding `json:"findings,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start"` + // The title for this set of results. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries"` +} + +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []LinkElement `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start"` + // The title for this event. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects"` +} + +// A set of textual statements, typically written by the assessor. +type AttestationStatements struct { + Parts []AssessmentPart `json:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` +} + +// Describes an individual finding. +type Finding struct { + // A human-readable description of this finding. + Description string `json:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Target TargetClass `json:"target"` + // The title for this finding. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State string `json:"state"` +} + +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *string `json:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty"` +} + +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Methods []string `json:"methods"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty"` + Types []string `json:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement"` + Status string `json:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets"` + Links []LinkElement `json:"links,omitempty"` + Origin FindingOrigin `json:"origin"` + Props []Property `json:"props,omitempty"` +} + +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []LinkElement `json:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System string `json:"system"` + // Indicates the value of the facet. + Value string `json:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle string `json:"lifecycle"` + Links []LinkElement `json:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries"` +} + +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty"` + Links []LinkElement `json:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start"` + StatusChange *string `json:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid"` +} + +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty"` + ID string `json:"id"` + // Specifies the source of the threat information. + System string `json:"system"` +} + +// A structured, organized collection of control information. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Params []Parameter `json:"params,omitempty"` + // Provides a globally unique means to identify a given catalog instance. + UUID string `json:"uuid"` +} + +// A structured object representing a requirement or guideline, which when implemented will +// reduce an aspect of risk related to an information system and its information. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + // Identifies a control such that it can be referenced in the defining catalog and other + // OSCAL instances (e.g., profiles). + ID string `json:"id"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the type, purpose, use or scope of + // the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // (deprecated) Another parameter invoking this one. This construct has been deprecated and + // should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A unique identifier for the parameter. + ID string `json:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test. +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint. + Expression string `json:"expression"` + Remarks *string `json:"remarks,omitempty"` +} + +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose"` +} + +// Presenting a choice among alternatives. +type Selection struct { + Choice []string `json:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty"` +} + +// A group of controls, or of groups of controls. +type CatalogGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Controls []Control `json:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty"` + // Identifies the group for the purpose of cross-linking within the defining instance or + // from other instances that reference the catalog. + ID *string `json:"id,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + // Provides a globally unique means to identify a given component definition instance. + UUID string `json:"uuid"` +} + +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // Provides a globally unique means to identify a given capability. + UUID string `json:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source"` + // Provides a means to identify a set of control implementations that are supported by a + // given component or capability. + UUID string `json:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + // A suggestion from the supplier (e.g., component vendor or author) for how the specified + // control may be implemented if the containing component or capability is instantiated in a + // system security plan. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty"` + // Provides a globally unique means to identify a given control implementation by a + // component. + UUID string `json:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id"` + Remarks *string `json:"remarks,omitempty"` + Values []string `json:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// The collection of components comprising this capability. +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title"` + // A category describing the purpose of the component. + Type string `json:"type"` + // Provides a globally unique means to identify a given component. + UUID string `json:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Findings []Finding `json:"findings,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Observations []Observation `json:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty"` + Props []Property `json:"props,omitempty"` + RelatedFindings []RelatedFinding `json:"related-findings,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. +type PoamItemOrigin struct { + Actors []OriginatingActor `json:"actors"` +} + +// Relates the poam-item to referenced finding(s). +type RelatedFinding struct { + // A machine-oriented identifier reference to a finding defined in the list of findings. + FindingUUID string `json:"finding-uuid"` +} + +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid"` +} + +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *string `json:"identifier-type,omitempty"` +} + +// Each OSCAL profile is defined by a profile element. +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + Imports []ImportResource `json:"imports"` + Merge *MergeControls `json:"merge,omitempty"` + Metadata DocumentMetadata `json:"metadata"` + Modify *ModifyControls `json:"modify,omitempty"` + // Provides a globally unique means to identify a given profile instance. + UUID string `json:"uuid"` +} + +// Designates a referenced source catalog or profile that provides a source of control +// information for use in creating a new overlay or baseline. +type ImportResource struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` +} + +// Select a control or controls from an imported control set. +type ImportExcludeControl struct { + Matching []MatchControlsByPattern `json:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty"` +} + +// Selecting a set of controls by matching their IDs with a wildcard pattern. +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty"` +} + +// Provides structuring directives that instruct how controls are organized after profile +// resolution. +type MergeControls struct { + // Indicates that the controls selected should retain their original grouping as defined in + // the import source. + AsIs *bool `json:"as-is,omitempty"` + // A Combine element defines how to resolve duplicate instances of the same control (e.g., + // controls with the same ID). + Combine *CombinationRule `json:"combine,omitempty"` + // Provides an alternate grouping structure that selected controls will be placed in. + Custom *CustomGrouping `json:"custom,omitempty"` + // Directs that controls appear without any grouping structure. + Flat *FlatWithoutGrouping `json:"flat,omitempty"` +} + +// A Combine element defines how to resolve duplicate instances of the same control (e.g., +// controls with the same ID). +type CombinationRule struct { + // Declare how clashing controls should be handled. + Method *CombinationMethod `json:"method,omitempty"` +} + +// Provides an alternate grouping structure that selected controls will be placed in. +type CustomGrouping struct { + Groups []CustomGroup `json:"groups,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls. +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty"` + // Identifies the group. + ID *string `json:"id,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + Props []Property `json:"props,omitempty"` + // A name to be given to the group for use in display. + Title string `json:"title"` +} + +// Specifies which controls to use in the containing context. +type InsertControls struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty"` +} + +// Directs that controls appear without any grouping structure. +type FlatWithoutGrouping struct { +} + +// Set parameters or amend controls in resolution. +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty"` +} + +// Specifies changes to be made to an included control when a profile is resolved. +type Alteration struct { + Adds []Addition `json:"adds,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Removes []Removal `json:"removes,omitempty"` +} + +// Specifies contents to be added into controls, in resolution. +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Params []Parameter `json:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside + // it). + Position *Position `json:"position,omitempty"` + Props []Property `json:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty"` + // Identify items to remove by the name of the item's information object name, e.g. title or + // prop. + ByItemName *ItemNameReference `json:"by-item-name,omitempty"` + // Identify items remove by matching their assigned name. + ByName *string `json:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion. +type ParameterSetting struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty"` + Links []LinkElement `json:"links,omitempty"` + // An identifier for the parameter. + ParamID string `json:"param-id"` + Props []Property `json:"props,omitempty"` + Select *Selection `json:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty"` + Values []string `json:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18. +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile"` + Metadata DocumentMetadata `json:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` +} + +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href"` + Remarks *string `json:"remarks,omitempty"` +} + +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description"` + Links []LinkElement `json:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` + SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel *string `json:"security-sensitivity-level,omitempty"` + Status SystemCharacteristicsStatus `json:"status"` + SystemIDS []SystemIdentification `json:"system-ids"` + SystemInformation SystemInformation `json:"system-information"` + // The full name of the system. + SystemName string `json:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. +type AuthorizationBoundary struct { + // A summary of the system's authorization boundary. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. +type DataFlow struct { + // A summary of the system's data flow. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. +type NetworkArchitecture struct { + // A summary of the system's network architecture. + Description string `json:"description"` + Diagrams []Diagram `json:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` +} + +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. +type SecurityImpactLevel struct { + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. +type SystemInformation struct { + InformationTypes []InformationType `json:"information-types"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` +} + +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + AvailabilityImpact *ImpactLevel `json:"availability-impact,omitempty"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` + ConfidentialityImpact *ImpactLevel `json:"confidentiality-impact,omitempty"` + // A summary of how this information type is used within the system. + Description string `json:"description"` + IntegrityImpact *ImpactLevel `json:"integrity-impact,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty"` +} + +// The expected level of impact resulting from the described information. +type ImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty"` + Base string `json:"base"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Selected *string `json:"selected,omitempty"` +} + +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System string `json:"system"` +} + +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` + Links []LinkElement `json:"links,omitempty"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + Users []SystemUser `json:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized"` + Links []LinkElement `json:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid"` + Props []Property `json:"props,omitempty"` + Remarks *string `json:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid"` +} + +// Indicates the transport type. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) + +// The operational status. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) + +// A category describing the kind of party the object describes. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) + +// The unit of time for the period. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) + +// The kind of actor. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ActorType string + +const ( + AssessmentPlatform ActorType = "assessment-platform" + Party ActorType = "party" + Tool ActorType = "tool" +) + +// An indication as to whether the objective is satisfied or not. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) + +// Identifies the type of the target. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) + +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) + +// When a control is included, whether its child (dependent) controls are also included. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) + +// Declare how clashing controls should be handled. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) + +// A designation of how a selection of controls in a profile is to be ordered. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) + +// Where to add the new content with respect to the targeted element (beside it or inside +// it). +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) + +// Identify items to remove by the name of the item's information object name, e.g. title or +// prop. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ItemNameReference string + +const ( + Link ItemNameReference = "link" + Map ItemNameReference = "map" + Mapping ItemNameReference = "mapping" + Param ItemNameReference = "param" + Part ItemNameReference = "part" + Prop ItemNameReference = "prop" +) + +// The current operating status. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) From 7cd7f949ed96fcc4d3e6a28b19aece659662b3e3 Mon Sep 17 00:00:00 2001 From: "Cole (Mike) Winberry" Date: Wed, 11 Sep 2024 13:54:59 -0700 Subject: [PATCH 2/5] feat: create hack/gen-types.sh to generate the types using quicktype --- hack/gen-types.sh | 23 +- src/types/oscal-1-0-4/types.go | 3292 ++++++++---- src/types/oscal-1-0-5/types.go | 6248 ++++++++++++++++++---- src/types/oscal-1-0-6/types.go | 4753 ++++++++++++---- src/types/oscal-1-1-0/types.go | 4769 +++++++++++++---- src/types/oscal-1-1-1/types.go | 4769 +++++++++++++---- src/types/oscal-1-1-2/types.go | 4769 +++++++++++++---- src/types/quicktype/oscal-1-0-4/types.go | 2290 -------- src/types/quicktype/oscal-1-0-5/types.go | 5258 ------------------ src/types/quicktype/oscal-1-0-6/types.go | 3729 ------------- src/types/quicktype/oscal-1-1-0/types.go | 3754 ------------- src/types/quicktype/oscal-1-1-1/types.go | 3754 ------------- src/types/quicktype/oscal-1-1-2/types.go | 3754 ------------- 13 files changed, 21779 insertions(+), 29383 deletions(-) delete mode 100644 src/types/quicktype/oscal-1-0-4/types.go delete mode 100644 src/types/quicktype/oscal-1-0-5/types.go delete mode 100644 src/types/quicktype/oscal-1-0-6/types.go delete mode 100644 src/types/quicktype/oscal-1-1-0/types.go delete mode 100644 src/types/quicktype/oscal-1-1-1/types.go delete mode 100644 src/types/quicktype/oscal-1-1-2/types.go diff --git a/hack/gen-types.sh b/hack/gen-types.sh index 85571ee5..d5d8db96 100755 --- a/hack/gen-types.sh +++ b/hack/gen-types.sh @@ -2,7 +2,7 @@ # Set the source and destination directories SCHEMA_DIR="src/internal/schemas" -OUTPUT_DIR="src/types/quicktype" +OUTPUT_DIR="src/types" # Loop through all JSON files in the schema directory for schema_file in "$SCHEMA_DIR"/oscal_complete_schema-*.json; do @@ -13,7 +13,26 @@ for schema_file in "$SCHEMA_DIR"/oscal_complete_schema-*.json; do mkdir -p "$OUTPUT_DIR/oscal-$version" # Generate the Go types using quicktype - cat "$schema_file" | npx quicktype -s schema -o "$OUTPUT_DIR/oscal-$version/types.go" --package "oscalTypes_${version//-/_}" --top-level OscalModels + cat "$schema_file" | npx quicktype -s schema \ + -o "$OUTPUT_DIR/oscal-$version/types.go" \ + --package "oscalTypes_${version//-/_}" \ + --top-level OscalModels + + # Add YAML and XML tags + if [[ "$OSTYPE" == "darwin"* ]]; then + # macOS version + sed -i '' ' + s/`json:"\([^"]*\)"`/`json:"\1" yaml:"\1" xml:"\1"`/g + s/`json:"\([^"]*\)" yaml:"\([^"]*\)"`/`json:"\1" yaml:"\2" xml:"\2"`/g + ' "$OUTPUT_DIR/oscal-$version/types.go" + else + # Linux version + sed -i ' + s/`json:"\([^"]*\)"`/`json:"\1" yaml:"\1" xml:"\1"`/g + s/`json:"\([^"]*\)" yaml:"\([^"]*\)"`/`json:"\1" yaml:"\2" xml:"\2"`/g + ' "$OUTPUT_DIR/oscal-$version/types.go" + fi + echo "Generated types for OSCAL version $version" done diff --git a/src/types/oscal-1-0-4/types.go b/src/types/oscal-1-0-4/types.go index ea0566cf..8b9dff5b 100644 --- a/src/types/oscal-1-0-4/types.go +++ b/src/types/oscal-1-0-4/types.go @@ -1,1268 +1,2290 @@ -/* -This file was auto-generated with go-oscal. +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() -To regenerate: - - go-oscal generate \ - --input-file \ - --output-file // the path to this file must already exist \ - --tags json,yaml // the tags to add to the Go structs \ - --pkg // defaults to "main" - -For more information on how to use go-oscal: go-oscal --help - -Source: https://github.com/defenseunicorns/go-oscal -*/ package oscalTypes_1_0_4 -import ( - "time" -) - -type OscalModels = OscalCompleteSchema -type OscalCompleteSchema struct { - AssessmentPlan *AssessmentPlan `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty"` - AssessmentResults *AssessmentResults `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty"` - Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestones `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty"` - Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty"` - SystemSecurityPlan *SystemSecurityPlan `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty"` -} - -type AssessmentPlan struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty"` - AssessmentSubjects *[]AssessmentSubject `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportSsp ImportSsp `json:"import-ssp" yaml:"import-ssp"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentResults struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportAp ImportAp `json:"import-ap" yaml:"import-ap"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Results []Result `json:"results" yaml:"results"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Capabilities *[]Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty"` - Components *[]DefinedComponent `json:"components,omitempty" yaml:"components,omitempty"` - ImportComponentDefinitions *[]ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PlanOfActionAndMilestones struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportSsp *ImportSsp `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - PoamItems []PoamItem `json:"poam-items" yaml:"poam-items"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - SystemId *SystemId `json:"system-id,omitempty" yaml:"system-id,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Imports []Import `json:"imports" yaml:"imports"` - Merge *Merge `json:"merge,omitempty" yaml:"merge,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Modify *Modify `json:"modify,omitempty" yaml:"modify,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemSecurityPlan struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ControlImplementation ControlImplementation `json:"control-implementation" yaml:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation"` - UUID string `json:"uuid" yaml:"uuid"` -} - +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty" xml:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty" xml:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty" xml:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty" xml:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty" xml:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty" xml:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty" xml:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty" xml:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp" yaml:"import-ssp" xml:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty" xml:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatform `json:"assessment-platforms" yaml:"assessment-platforms"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms" yaml:"assessment-platforms" xml:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty" xml:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A reference to a local or remote resource +type Link struct { + // A resolvable URL reference to a resource. + Href string `json:"href" yaml:"href" xml:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + // Describes the type of relationship provided by the link. This can be an indicator of the + // link's purpose. + Rel *string `json:"rel,omitempty" yaml:"rel,omitempty" xml:"rel,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty" yaml:"text,omitempty" xml:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. The value of a property is a simple scalar value, +// which may be expressed as a list of values. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. This + // can be used to further distinguish or discriminate between the semantics of multiple + // properties of the same object with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // A textual label that uniquely identifies a specific attribute, characteristic, or quality + // of the property's containing object. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined property elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } -type AssessmentSubject struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeSubjects *[]SelectSubjectById `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeSubjects *[]SelectSubjectById `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Type string `json:"type" yaml:"type"` +// A reference to a set of organizations or persons that have responsibility for performing +// a referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids" yaml:"party-uuids" xml:"party-uuids"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human-oriented identifier reference to roles served by the user. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status" yaml:"status" xml:"status"` + // A human readable name for the system component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name" yaml:"name" xml:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty" xml:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty" yaml:"start,omitempty" xml:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty" yaml:"transport,omitempty" xml:"transport,omitempty"` } +// A reference to one or more roles with responsibility for performing a function relative +// to the containing object. +type ResponsibleRole struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty" xml:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human-oriented identifier reference to roles responsible for the business function. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state" yaml:"state" xml:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty" xml:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty" xml:"include-subjects,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources, which may be included directly or by reference. type BackMatter struct { - Resources *[]Resource `json:"resources,omitempty" yaml:"resources,omitempty"` -} - -type ImportSsp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type LocalDefinitions struct { - Activities *[]Activity `json:"activities,omitempty" yaml:"activities,omitempty"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - ObjectivesAndMethods *[]LocalObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users *[]SystemUser `json:"users,omitempty" yaml:"users,omitempty"` + Resources []Resource `json:"resources,omitempty" yaml:"resources,omitempty" xml:"resources,omitempty"` } -type Metadata struct { - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified" yaml:"last-modified"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Locations *[]Location `json:"locations,omitempty" yaml:"locations,omitempty"` - OscalVersion string `json:"oscal-version" yaml:"oscal-version"` - Parties *[]Party `json:"parties,omitempty" yaml:"parties,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Revisions *[]Revision `json:"revisions,omitempty" yaml:"revisions,omitempty"` - Roles *[]Role `json:"roles,omitempty" yaml:"roles,omitempty"` - Title string `json:"title" yaml:"title"` - Version string `json:"version" yaml:"version"` -} - -type ReviewedControls struct { - ControlObjectiveSelections *[]ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Task struct { - AssociatedActivities *[]AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty"` - Dependencies *[]TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentPlanTermsAndConditions struct { - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` -} - -type ImportAp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Result struct { - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty"` - Attestations *[]AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty"` - Description string `json:"description" yaml:"description"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Findings *[]Finding `json:"findings,omitempty" yaml:"findings,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Control struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type Group struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type Parameter struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - ID string `json:"id" yaml:"id"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type Capability struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - IncorporatesComponents *[]IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DefinedComponent struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImportComponentDefinition struct { - Href string `json:"href" yaml:"href"` -} - -type PlanOfActionAndMilestonesLocalDefinitions struct { - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Observation struct { - Collected time.Time `json:"collected" yaml:"collected"` - Description string `json:"description" yaml:"description"` - Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Methods []string `json:"methods" yaml:"methods"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelevantEvidence *[]RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Types *[]string `json:"types,omitempty" yaml:"types,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PoamItem struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} - -type Risk struct { - Characterizations *[]Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty"` - Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - MitigatingFactors *[]MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - Remediations *[]Response `json:"remediations,omitempty" yaml:"remediations,omitempty"` - RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty"` - Statement string `json:"statement" yaml:"statement"` - Status string `json:"status" yaml:"status"` - ThreatIds *[]ThreatId `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemId struct { - ID string `json:"id" yaml:"id"` - IdentifierType string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty"` -} - -type Import struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - Href string `json:"href" yaml:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` -} - -type Merge struct { - AsIs bool `json:"as-is,omitempty" yaml:"as-is,omitempty"` - Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty"` - Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty"` - Flat *Flat `json:"flat,omitempty" yaml:"flat,omitempty"` -} - -type Modify struct { - Alters *[]Alter `json:"alters,omitempty" yaml:"alters,omitempty"` - SetParameters *[]ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` -} - -type ControlImplementation struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirement `json:"implemented-requirements" yaml:"implemented-requirements"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` -} - -type ImportProfile struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A resource associated with content in the containing document. A resource may be directly +// included in the document base64 encoded or may point to one or more equivalent internet +// resources. +type Resource struct { + // The Base64 alphabet in RFC 2045 - aligned with XSD. + Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty" xml:"base64,omitempty"` + // A citation consisting of end note text and optional structured bibliographic data. + Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty" xml:"citation,omitempty"` + // A short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty" xml:"rlinks,omitempty"` + // A name given to the resource, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined resource elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The Base64 alphabet in RFC 2045 - aligned with XSD. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty" yaml:"filename,omitempty" xml:"filename,omitempty"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + Value string `json:"value" yaml:"value" xml:"value"` } -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty"` - DateAuthorized string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level" yaml:"security-impact-level"` - SecuritySensitivityLevel string `json:"security-sensitivity-level" yaml:"security-sensitivity-level"` - Status Status `json:"status" yaml:"status"` - SystemIds []SystemId `json:"system-ids" yaml:"system-ids"` - SystemInformation SystemInformation `json:"system-information" yaml:"system-information"` - SystemName string `json:"system-name" yaml:"system-name"` - SystemNameShort string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty"` +// A citation consisting of end note text and optional structured bibliographic data. +type Citation struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A line of citation text. + Text string `json:"text" yaml:"text" xml:"text"` +} + +// A document identifier qualified by an identifier scheme. A document identifier provides a +// globally unique identifier with a cross-instance scope that is used for a group of +// documents that are to be treated as different versions of the same document. If this +// element does not appear, or if the value of this element is empty, the value of +// "document-id" is equal to the value of the "uuid" flag of the top-level root element. +type DocumentIdentifier struct { + Identifier string `json:"identifier" yaml:"identifier" xml:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *string `json:"scheme,omitempty" yaml:"scheme,omitempty" xml:"scheme,omitempty"` +} + +// A pointer to an external resource with an optional hash for verification and change +// detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty" yaml:"hashes,omitempty" xml:"hashes,omitempty"` + // A resolvable URI reference to a resource. + Href string `json:"href" yaml:"href" xml:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` } -type SystemImplementation struct { - Components []SystemComponent `json:"components" yaml:"components"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - LeveragedAuthorizations *[]LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users []SystemUser `json:"users" yaml:"users"` -} - -type AssessmentPlatform struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UsesComponents *[]UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemComponent struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Status SystemComponentStatus `json:"status" yaml:"status"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SelectSubjectById struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Type string `json:"type" yaml:"type"` -} - -type IncludeAll = map[string]interface{} - -type Link struct { - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Rel string `json:"rel,omitempty" yaml:"rel,omitempty"` - Text string `json:"text,omitempty" yaml:"text,omitempty"` +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // Method by which a hash is derived + Algorithm string `json:"algorithm" yaml:"algorithm" xml:"algorithm"` + Value string `json:"value" yaml:"value" xml:"value"` } -type Property struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` - Value string `json:"value" yaml:"value"` +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } -type Resource struct { - Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty"` - Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Rlinks *[]ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. type Activity struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedControls *ReviewedControls `json:"related-controls,omitempty" yaml:"related-controls,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Steps *[]Step `json:"steps,omitempty" yaml:"steps,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` + // A human-readable description of this included activity. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty" yaml:"related-controls,omitempty" xml:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty" yaml:"steps,omitempty" xml:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty" xml:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections" xml:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty" xml:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty" xml:"include-objectives,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id" yaml:"objective-id" xml:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeControls []SelectControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []SelectControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type SelectControl struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty" xml:"statement-ids,omitempty"` } +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty" xml:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A single managed inventory item within the system. type InventoryItem struct { - Description string `json:"description" yaml:"description"` - ImplementedComponents *[]ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type LocalObjective struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Parts []Part `json:"parts" yaml:"parts"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty" xml:"implemented-components,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Parts []Part `json:"parts" yaml:"parts" xml:"parts"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A partition of a control's definition or a child of another part. +type Part struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined part elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. type SystemUser struct { - AuthorizedPrivileges *[]AuthorizedPrivilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleIds *[]string `json:"role-ids,omitempty" yaml:"role-ids,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DocumentId struct { - Identifier string `json:"identifier" yaml:"identifier"` - Scheme string `json:"scheme,omitempty" yaml:"scheme,omitempty"` -} - + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty" xml:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty" yaml:"role-ids,omitempty" xml:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed" xml:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Provides information about the publication and availability of the containing document. +type PublicationMetadata struct { + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified" yaml:"last-modified" xml:"last-modified"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Locations []Location `json:"locations,omitempty" yaml:"locations,omitempty" xml:"locations,omitempty"` + OscalVersion string `json:"oscal-version" yaml:"oscal-version" xml:"oscal-version"` + Parties []PartyOrganizationOrPerson `json:"parties,omitempty" yaml:"parties,omitempty" xml:"parties,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty" yaml:"revisions,omitempty" xml:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty" yaml:"roles,omitempty" xml:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// A location, with associated metadata that can be referenced. type Location struct { - Address Address `json:"address" yaml:"address"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Urls *[]string `json:"urls,omitempty" yaml:"urls,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Party struct { - Addresses *[]Address `json:"addresses,omitempty" yaml:"addresses,omitempty"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - ExternalIds *[]PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocationUuids *[]string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty"` - MemberOfOrganizations *[]string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty"` - Name string `json:"name,omitempty" yaml:"name,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ResponsibleParty struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids []string `json:"party-uuids" yaml:"party-uuids"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` -} - -type Revision struct { - LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - OscalVersion string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Version string `json:"version" yaml:"version"` -} - + Address Address `json:"address" yaml:"address" xml:"address"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Urls []string `json:"urls,omitempty" yaml:"urls,omitempty" xml:"urls,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined location elsewhere in this or other OSCAL instances. The + // locally defined UUID of the location can be used to reference the data item locally or + // globally (e.g., from an importing OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty" xml:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty" yaml:"city,omitempty" xml:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty" yaml:"country,omitempty" xml:"country,omitempty"` + // Postal or ZIP code for mailing address + PostalCode *string `json:"postal-code,omitempty" yaml:"postal-code,omitempty" xml:"postal-code,omitempty"` + // State, province or analogous geographical region for mailing address + State *string `json:"state,omitempty" yaml:"state,omitempty" xml:"state,omitempty"` + // Indicates the type of address. + Type *string `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// Contact number by telephone. +type TelephoneNumber struct { + Number string `json:"number" yaml:"number" xml:"number"` + // Indicates the type of phone number. + Type *string `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// A responsible entity which is either a person or an organization. +type PartyOrganizationOrPerson struct { + Addresses []Address `json:"addresses,omitempty" yaml:"addresses,omitempty" xml:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty" xml:"external-ids,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty" xml:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty" xml:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty" yaml:"name,omitempty" xml:"name,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined party elsewhere in this or other OSCAL instances. The locally + // defined UUID of the party can be used to reference the data item locally or globally + // (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID) +type PartyExternalIdentifier struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Indicates the type of external identifier. + Scheme string `json:"scheme" yaml:"scheme" xml:"scheme"` +} + +// An entry in a sequential list of revisions to the containing document in reverse +// chronological order (i.e., most recent previous revision first). +type RevisionHistoryEntry struct { + LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty" xml:"last-modified,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty" xml:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// Defines a function assumed or expected to be assumed by a party in a specific situation. type Role struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title" yaml:"title"` + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined role elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL + // instance must be referenced in the context of the containing resource (e.g., import, + // import-component-definition, import-profile, import-ssp or import-ap). This ID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ID string `json:"id" yaml:"id" xml:"id"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty" xml:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty" xml:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty" xml:"timing,omitempty"` + // The title for this task. + Title string `json:"title" yaml:"title" xml:"title"` + // The type of task. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. +type AssociatedActivity struct { + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid" yaml:"activity-uuid" xml:"activity-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } -type ReferencedControlObjectives struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeObjectives *[]SelectObjectiveById `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeObjectives *[]SelectObjectiveById `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// Used to indicate that a task is dependent on another task. +type TaskDependency struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` } -type AssessedControls struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeControls *[]SelectControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// The timing under which the task is intended to occur. +type EventTiming struct { + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty" xml:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty" xml:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty" xml:"within-date-range,omitempty"` } -type AssociatedActivity struct { - ActivityUuid string `json:"activity-uuid" yaml:"activity-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period" yaml:"period" xml:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit" yaml:"unit" xml:"unit"` } -type TaskDependency struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date" yaml:"date" xml:"date"` } -type ResponsibleRole struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids *[]string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end" yaml:"end" xml:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start" yaml:"start" xml:"start"` } -type EventTiming struct { - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty"` - OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty"` - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty"` +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` } +// A partition of an assessment plan or results or a child of another part. type AssessmentPart struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap" yaml:"import-ap" xml:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Results []AssessmentResult `json:"results" yaml:"results" xml:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty" xml:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty" xml:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Findings []Finding `json:"findings,omitempty" yaml:"findings,omitempty" xml:"findings,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this set of results. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries" yaml:"entries"` +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this event. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty" xml:"identified-subject,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid" xml:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } +// A set of textual statements, typically written by the assessor. type AttestationStatements struct { - Parts []AssessmentPart `json:"parts" yaml:"parts"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` + Parts []AssessmentPart `json:"parts" yaml:"parts" xml:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } +// Describes an individual finding. type Finding struct { - Description string `json:"description" yaml:"description"` - ImplementationStatementUuid string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Target FindingTarget `json:"target" yaml:"target"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Part struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` + // A human-readable description of this finding. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty" xml:"implementation-statement-uuid,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Target TargetClass `json:"target" yaml:"target" xml:"target"` + // The title for this finding. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid" yaml:"actor-uuid" xml:"actor-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type" yaml:"type" xml:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status" yaml:"status" xml:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id" yaml:"target-id" xml:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type" yaml:"type" xml:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State string `json:"state" yaml:"state" xml:"state"` } -type ParameterConstraint struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Tests *[]ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty"` +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *string `json:"reason,omitempty" yaml:"reason,omitempty" xml:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state" yaml:"state" xml:"state"` } -type ParameterGuideline struct { - Prose string `json:"prose" yaml:"prose"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } -type ParameterSelection struct { - Choice *[]string `json:"choice,omitempty" yaml:"choice,omitempty"` - HowMany string `json:"how-many,omitempty" yaml:"how-many,omitempty"` +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected" yaml:"collected" xml:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty" xml:"expires,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Methods []string `json:"methods" yaml:"methods" xml:"methods"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty" xml:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Types []string `json:"types,omitempty" yaml:"types,omitempty" xml:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description" yaml:"description" xml:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty" xml:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty" xml:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty" xml:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty" yaml:"remediations,omitempty" xml:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty" xml:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement" yaml:"statement" xml:"statement"` + Status string `json:"status" yaml:"status" xml:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty" xml:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets" yaml:"facets" xml:"facets"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origin FindingOrigin `json:"origin" yaml:"origin" xml:"origin"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type ControlImplementationSet struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirementControlImplementation `json:"implemented-requirements" yaml:"implemented-requirements"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Source string `json:"source" yaml:"source"` - UUID string `json:"uuid" yaml:"uuid"` +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System string `json:"system" yaml:"system" xml:"system"` + // Indicates the value of the facet. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty" xml:"implementation-uuid,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle string `json:"lifecycle" yaml:"lifecycle" xml:"lifecycle"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty" xml:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type IncorporatesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty" xml:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + StatusChange *string `json:"status-change,omitempty" yaml:"status-change,omitempty" xml:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid" yaml:"response-uuid" xml:"response-uuid"` } -type Protocol struct { - Name string `json:"name" yaml:"name"` - PortRanges *[]PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + ID string `json:"id" yaml:"id" xml:"id"` + // Specifies the source of the threat information. + System string `json:"system" yaml:"system" xml:"system"` } -type Origin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` +// A collection of controls. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + // A globally unique identifier with cross-instance scope for this catalog instance. This + // UUID should be changed when this document is revised. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A structured information object representing a security or privacy control. Each security +// or privacy control within the Catalog is defined by a distinct control instance. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + // A human-oriented, locally unique identifier with instance scope that can be used to + // reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This + // id should be assigned per-subject, which means it should be consistently used to identify + // the same control across revisions of the document. + ID string `json:"id" yaml:"id" xml:"id"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ID string `json:"id" yaml:"id" xml:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty" xml:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint + Expression string `json:"expression" yaml:"expression" xml:"expression"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } -type RelevantEvidence struct { - Description string `json:"description" yaml:"description"` - Href string `json:"href,omitempty" yaml:"href,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose" yaml:"prose" xml:"prose"` } -type SubjectReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` +// Presenting a choice among alternatives +type Selection struct { + Choice []string `json:"choice,omitempty" yaml:"choice,omitempty" xml:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty" yaml:"how-many,omitempty" xml:"how-many,omitempty"` } +// A group of controls, or of groups of controls. +type ControlGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in in this and other OSCAL instances (e.g., + // profiles). This id should be assigned per-subject, which means it should be consistently + // used to identify the same group across revisions of the document. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty" xml:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty" xml:"import-component-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component definition elsewhere in this or other OSCAL instances. The + // locally defined UUID of the component definition can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description" yaml:"description" xml:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty" xml:"incorporates-components,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this capability elsewhere in this or other OSCAL instances. The locally + // defined UUID of the capability can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source" yaml:"source" xml:"source"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a set of implemented controls elsewhere in this or other OSCAL instances. + // The locally defined UUID of the control implementation set can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A suggestion for how the specified control may be implemented if the containing component + // or capability is instantiated in a system security plan. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a specific control implementation elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance).This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Values []string `json:"values" yaml:"values" xml:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// TBD +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href" yaml:"href" xml:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty" xml:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items" yaml:"poam-items" xml:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty" yaml:"system-id,omitempty" xml:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. type PoamItemOrigin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` } -type RelatedObservation struct { - ObservationUuid string `json:"observation-uuid" yaml:"observation-uuid"` +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` } -type AssociatedRisk struct { - RiskUuid string `json:"risk-uuid" yaml:"risk-uuid"` +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` } -type Characterization struct { - Facets []Facet `json:"facets" yaml:"facets"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origin Origin `json:"origin" yaml:"origin"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` -} - -type MitigatingFactor struct { - Description string `json:"description" yaml:"description"` - ImplementationUuid string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Response struct { - Description string `json:"description" yaml:"description"` - Lifecycle string `json:"lifecycle" yaml:"lifecycle"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RequiredAssets *[]RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type RiskLog struct { - Entries []RiskLogEntry `json:"entries" yaml:"entries"` -} - -type ThreatId struct { - Href string `json:"href,omitempty" yaml:"href,omitempty"` - ID string `json:"id" yaml:"id"` - System string `json:"system" yaml:"system"` -} - -type SelectControlById struct { - Matching *[]MatchControlsByPattern `json:"matching,omitempty" yaml:"matching,omitempty"` - WithChildControls string `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty"` - WithIds *[]string `json:"with-ids,omitempty" yaml:"with-ids,omitempty"` +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty" xml:"identifier-type,omitempty"` } +// Each OSCAL profile is defined by a Profile element +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Imports []ImportResource `json:"imports" yaml:"imports" xml:"imports"` + Merge *MergeControls `json:"merge,omitempty" yaml:"merge,omitempty" xml:"merge,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Modify *ModifyControls `json:"modify,omitempty" yaml:"modify,omitempty" xml:"modify,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this profile elsewhere in this or other OSCAL instances. The locally defined + // UUID of the profile can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance).This identifier should be assigned per-subject, which means + // it should be consistently used to identify the same profile across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The import designates a catalog or profile to be included (referenced and potentially +// modified) by this profile. The import also identifies which controls to select using the +// include-all, include-controls, and exclude-controls directives. +type ImportResource struct { + ExcludeControls []Call `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href" yaml:"href" xml:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` +} + +// Call a control by its ID +type Call struct { + Matching []MatchControlsByPattern `json:"matching,omitempty" yaml:"matching,omitempty" xml:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty" xml:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty" yaml:"with-ids,omitempty" xml:"with-ids,omitempty"` +} + +// Select controls by (regular expression) match on ID +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty" yaml:"pattern,omitempty" xml:"pattern,omitempty"` +} + +// A Merge element provides structuring directives that drive how controls are organized +// after resolution. +type MergeControls struct { + // An As-is element indicates that the controls should be structured in resolution as they + // are structured in their source catalogs. It does not contain any elements or attributes. + AsIs *bool `json:"as-is,omitempty" yaml:"as-is,omitempty" xml:"as-is,omitempty"` + // A Combine element defines how to combine multiple (competing) versions of the same + // control. + Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty" xml:"combine,omitempty"` + // A Custom element frames a structure for embedding represented controls in resolution. + Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty" xml:"custom,omitempty"` + // Use the flat structuring method. + Flat *Flat `json:"flat,omitempty" yaml:"flat,omitempty" xml:"flat,omitempty"` +} + +// A Combine element defines how to combine multiple (competing) versions of the same +// control. type CombinationRule struct { - Method string `json:"method,omitempty" yaml:"method,omitempty"` + // How clashing controls should be handled + Method *CombinationMethod `json:"method,omitempty" yaml:"method,omitempty" xml:"method,omitempty"` } +// A Custom element frames a structure for embedding represented controls in resolution. type CustomGrouping struct { - Groups *[]ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` -} - -type Flat = map[string]interface{} - -type Alter struct { - Adds *[]Add `json:"adds,omitempty" yaml:"adds,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Removes *[]Remove `json:"removes,omitempty" yaml:"removes,omitempty"` + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same group across revisions of the + // document. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Specifies which controls to use in the containing context. +type SelectControls struct { + ExcludeControls []Call `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty" yaml:"order,omitempty" xml:"order,omitempty"` +} + +// Use the flat structuring method. +type Flat struct { +} + +// Set parameters or amend controls in resolution +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty" yaml:"alters,omitempty" xml:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` +} + +// An Alter element specifies changes to be made to an included control when a profile is +// resolved. +type Alteration struct { + Adds []Addition `json:"adds,omitempty" yaml:"adds,omitempty" xml:"adds,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Removes []Removal `json:"removes,omitempty" yaml:"removes,omitempty" xml:"removes,omitempty"` +} + +// Specifies contents to be added into controls, in resolution +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside it) + Position *Position `json:"position,omitempty" yaml:"position,omitempty" xml:"position,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty" yaml:"by-class,omitempty" xml:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + // Identify items to remove by the name of the item's information element name, e.g. title + // or prop + ByItemName *string `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty" xml:"by-item-name,omitempty"` + // Identify items to remove by matching their assigned name + ByName *string `json:"by-name,omitempty" yaml:"by-name,omitempty" xml:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty" yaml:"by-ns,omitempty" xml:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion +type ParameterSetting struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18 +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation" yaml:"control-implementation" xml:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile" xml:"import-profile"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics" xml:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation" xml:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty" yaml:"export,omitempty" xml:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty" xml:"inherited,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty" xml:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty" xml:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty" xml:"responsibilities,omitempty"` } -type ParameterSetting struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - ParamId string `json:"param-id" yaml:"param-id"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type ImplementedRequirement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]Statement `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SetParameter struct { - ParamId string `json:"param-id" yaml:"param-id"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Values []string `json:"values" yaml:"values"` +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty" xml:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary" xml:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty" xml:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty" xml:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty" xml:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level" yaml:"security-impact-level" xml:"security-impact-level"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel string `json:"security-sensitivity-level" yaml:"security-sensitivity-level" xml:"security-sensitivity-level"` + Status SystemCharacteristicsStatus `json:"status" yaml:"status" xml:"status"` + SystemIDS []SystemIdentification `json:"system-ids" yaml:"system-ids" xml:"system-ids"` + SystemInformation SystemInformation `json:"system-information" yaml:"system-information" xml:"system-information"` + // The full name of the system. + SystemName string `json:"system-name" yaml:"system-name" xml:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty" xml:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. type AuthorizationBoundary struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's authorization boundary. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty" yaml:"caption,omitempty" xml:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. type DataFlow struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's data flow. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. type NetworkArchitecture struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's network architecture. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. type SecurityImpactLevel struct { - SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability"` - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality"` - SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity"` -} - -type Status struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability" xml:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality" xml:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity" xml:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state" yaml:"state" xml:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. type SystemInformation struct { - InformationTypes []InformationType `json:"information-types" yaml:"information-types"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` -} - -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized" yaml:"date-authorized"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type UsesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` + InformationTypes []InformationType `json:"information-types" yaml:"information-types" xml:"information-types"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type SystemComponentStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type Base64 struct { - Filename string `json:"filename,omitempty" yaml:"filename,omitempty"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Value string `json:"value" yaml:"value"` -} - -type Citation struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Text string `json:"text" yaml:"text"` -} - -type ResourceLink struct { - Hashes *[]Hash `json:"hashes,omitempty" yaml:"hashes,omitempty"` - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` -} - -type Step struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControls `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImplementedComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` -} - -type AuthorizedPrivilege struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed"` - Title string `json:"title" yaml:"title"` -} - -type Address struct { - AddrLines *[]string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty"` - City string `json:"city,omitempty" yaml:"city,omitempty"` - Country string `json:"country,omitempty" yaml:"country,omitempty"` - PostalCode string `json:"postal-code,omitempty" yaml:"postal-code,omitempty"` - State string `json:"state,omitempty" yaml:"state,omitempty"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} - -type TelephoneNumber struct { - Number string `json:"number" yaml:"number"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} - -type PartyExternalIdentifier struct { - ID string `json:"id" yaml:"id"` - Scheme string `json:"scheme" yaml:"scheme"` -} - -type SelectObjectiveById struct { - ObjectiveId string `json:"objective-id" yaml:"objective-id"` -} - -type SelectControl struct { - ControlId string `json:"control-id" yaml:"control-id"` - StatementIds *[]string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty"` -} - -type FrequencyCondition struct { - Period int `json:"period" yaml:"period"` - Unit string `json:"unit" yaml:"unit"` -} - -type OnDateCondition struct { - Date time.Time `json:"date" yaml:"date"` -} - -type OnDateRangeCondition struct { - End time.Time `json:"end" yaml:"end"` - Start time.Time `json:"start" yaml:"start"` -} - -type AssessmentLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type FindingTarget struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Status ObjectiveStatus `json:"status" yaml:"status"` - TargetId string `json:"target-id" yaml:"target-id"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + // The expected level of impact resulting from the disruption of access to or use of the + // described information or the information system. + AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact" yaml:"availability-impact" xml:"availability-impact"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty" xml:"categorizations,omitempty"` + // The expected level of impact resulting from the unauthorized disclosure of the described + // information. + ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact" yaml:"confidentiality-impact" xml:"confidentiality-impact"` + // A summary of how this information type is used within the system. + Description string `json:"description" yaml:"description" xml:"description"` + // The expected level of impact resulting from the unauthorized modification of the + // described information. + IntegrityImpact IntegrityImpactLevel `json:"integrity-impact" yaml:"integrity-impact" xml:"integrity-impact"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// The expected level of impact resulting from the disruption of access to or use of the +// described information or the information system. +type AvailabilityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` } -type ConstraintTest struct { - Expression string `json:"expression" yaml:"expression"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty" xml:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System string `json:"system" yaml:"system" xml:"system"` } -type ImplementedRequirementControlImplementation struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` +// The expected level of impact resulting from the unauthorized disclosure of the described +// information. +type ConfidentialityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` } -type PortRange struct { - End int `json:"end,omitempty" yaml:"end,omitempty"` - Start int `json:"start,omitempty" yaml:"start,omitempty"` - Transport string `json:"transport,omitempty" yaml:"transport,omitempty"` +// The expected level of impact resulting from the unauthorized modification of the +// described information. +type IntegrityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` } -type OriginActor struct { - ActorUuid string `json:"actor-uuid" yaml:"actor-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` - Type string `json:"type" yaml:"type"` -} +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components" yaml:"components" xml:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty" xml:"leveraged-authorizations,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users" yaml:"users" xml:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized" yaml:"date-authorized" xml:"date-authorized"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Indicates the transport type. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) -type RelatedTask struct { - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` -} +// The operational status. +type PurpleState string -type Facet struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - System string `json:"system" yaml:"system"` - Value string `json:"value" yaml:"value"` -} +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) -type RequiredAsset struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// A category describing the kind of party the object describes. +type PartyType string -type RiskLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedResponses *[]RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - StatusChange string `json:"status-change,omitempty" yaml:"status-change,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) -type MatchControlsByPattern struct { - Pattern string `json:"pattern,omitempty" yaml:"pattern,omitempty"` -} +// The unit of time for the period. +type TimeUnit string -type ControlGroup struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Groups *[]ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type InsertControls struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Order string `json:"order,omitempty" yaml:"order,omitempty"` -} - -type Add struct { - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Position string `json:"position,omitempty" yaml:"position,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` -} - -type Remove struct { - ByClass string `json:"by-class,omitempty" yaml:"by-class,omitempty"` - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - ByItemName string `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty"` - ByName string `json:"by-name,omitempty" yaml:"by-name,omitempty"` - ByNs string `json:"by-ns,omitempty" yaml:"by-ns,omitempty"` -} - -type ByComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` - Export *Export `json:"export,omitempty" yaml:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Inherited *[]InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Satisfied *[]SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Statement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` -} +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) -type Diagram struct { - Caption string `json:"caption,omitempty" yaml:"caption,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The kind of actor. +type ActorType string -type InformationType struct { - AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact" yaml:"availability-impact"` - Categorizations *[]InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty"` - ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact" yaml:"confidentiality-impact"` - Description string `json:"description" yaml:"description"` - IntegrityImpact IntegrityImpactLevel `json:"integrity-impact" yaml:"integrity-impact"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} +const ( + AssessmentPlatform ActorType = "assessment-platform" + Party ActorType = "party" + Tool ActorType = "tool" +) -type Hash struct { - Algorithm string `json:"algorithm" yaml:"algorithm"` - Value string `json:"value" yaml:"value"` -} +// An indication as to whether the objective is satisfied or not. +type ObjectiveStatusState string -type LoggedBy struct { - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` -} +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) -type ImplementationStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} +// Identifies the type of the target. +type FindingTargetType string -type ObjectiveStatus struct { - Reason string `json:"reason,omitempty" yaml:"reason,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) -type ControlStatementImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +type ParameterCardinality string -type IdentifiedSubject struct { - SubjectPlaceholderUuid string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` -} +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) -type RiskResponseReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponseUuid string `json:"response-uuid" yaml:"response-uuid"` -} +// When a control is included, whether its child (dependent) controls are also included. +type IncludeContainedControlsWithControl string -type Export struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Provided *[]ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Responsibilities *[]ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty"` -} +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) -type InheritedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// How clashing controls should be handled +type CombinationMethod string -type SatisfiedControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibilityUuid string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) -type AvailabilityImpactLevel struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// A designation of how a selection of controls in a profile is to be ordered. +type Order string -type InformationTypeCategorization struct { - InformationTypeIds *[]string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty"` - System string `json:"system" yaml:"system"` -} +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) -type ConfidentialityImpactLevel struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// Where to add the new content with respect to the targeted element (beside it or inside it) +type Position string -type IntegrityImpactLevel struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) -type ProvidedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The current operating status. +type FluffyState string -type ControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) diff --git a/src/types/oscal-1-0-5/types.go b/src/types/oscal-1-0-5/types.go index a4f1874f..73741676 100644 --- a/src/types/oscal-1-0-5/types.go +++ b/src/types/oscal-1-0-5/types.go @@ -1,1268 +1,5258 @@ -/* -This file was auto-generated with go-oscal. +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() -To regenerate: - - go-oscal generate \ - --input-file \ - --output-file // the path to this file must already exist \ - --tags json,yaml // the tags to add to the Go structs \ - --pkg // defaults to "main" - -For more information on how to use go-oscal: go-oscal --help - -Source: https://github.com/defenseunicorns/go-oscal -*/ package oscalTypes_1_0_5 -import ( - "time" -) - -type OscalModels = OscalCompleteSchema -type OscalCompleteSchema struct { - AssessmentPlan *AssessmentPlan `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty"` - AssessmentResults *AssessmentResults `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty"` - Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestones `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty"` - Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty"` - SystemSecurityPlan *SystemSecurityPlan `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty"` -} - -type AssessmentPlan struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty"` - AssessmentSubjects *[]AssessmentSubject `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportSsp ImportSsp `json:"import-ssp" yaml:"import-ssp"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentResults struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportAp ImportAp `json:"import-ap" yaml:"import-ap"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Results []Result `json:"results" yaml:"results"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Capabilities *[]Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty"` - Components *[]DefinedComponent `json:"components,omitempty" yaml:"components,omitempty"` - ImportComponentDefinitions *[]ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PlanOfActionAndMilestones struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportSsp *ImportSsp `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - PoamItems []PoamItem `json:"poam-items" yaml:"poam-items"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - SystemId *SystemId `json:"system-id,omitempty" yaml:"system-id,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Imports []Import `json:"imports" yaml:"imports"` - Merge *Merge `json:"merge,omitempty" yaml:"merge,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Modify *Modify `json:"modify,omitempty" yaml:"modify,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemSecurityPlan struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ControlImplementation ControlImplementation `json:"control-implementation" yaml:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation"` - UUID string `json:"uuid" yaml:"uuid"` -} - +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty" xml:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty" xml:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty" xml:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty" xml:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty" xml:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty" xml:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty" xml:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty" xml:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp" yaml:"import-ssp" xml:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty" xml:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatform `json:"assessment-platforms" yaml:"assessment-platforms"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms" yaml:"assessment-platforms" xml:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty" xml:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A reference to a local or remote resource +type Link struct { + // A resolvable URL reference to a resource. + Href string `json:"href" yaml:"href" xml:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + // Describes the type of relationship provided by the link. This can be an indicator of the + // link's purpose. + Rel *Relation `json:"rel,omitempty" yaml:"rel,omitempty" xml:"rel,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty" yaml:"text,omitempty" xml:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. The value of a property is a simple scalar value, +// which may be expressed as a list of values. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. This + // can be used to further distinguish or discriminate between the semantics of multiple + // properties of the same object with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // A textual label that uniquely identifies a specific attribute, characteristic, or quality + // of the property's containing object. + Name PropertyName `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined property elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } -type AssessmentSubject struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeSubjects *[]SelectSubjectById `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeSubjects *[]SelectSubjectById `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Type string `json:"type" yaml:"type"` +// A reference to a set of organizations or persons that have responsibility for performing +// a referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids" yaml:"party-uuids" xml:"party-uuids"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human-oriented identifier reference to roles served by the user. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status" yaml:"status" xml:"status"` + // A human readable name for the system component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type PurpleComponentType `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name" yaml:"name" xml:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty" xml:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty" yaml:"start,omitempty" xml:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty" yaml:"transport,omitempty" xml:"transport,omitempty"` } +// A reference to one or more roles with responsibility for performing a function relative +// to the containing object. +type ResponsibleRole struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty" xml:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human-oriented identifier reference to roles responsible for the business function. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state" yaml:"state" xml:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty" xml:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty" xml:"include-subjects,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type SubjectType `json:"type" yaml:"type" xml:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type SubjectUniversallyUniqueIdentifierReferenceType `json:"type" yaml:"type" xml:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources, which may be included directly or by reference. type BackMatter struct { - Resources *[]Resource `json:"resources,omitempty" yaml:"resources,omitempty"` -} - -type ImportSsp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type LocalDefinitions struct { - Activities *[]Activity `json:"activities,omitempty" yaml:"activities,omitempty"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - ObjectivesAndMethods *[]LocalObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users *[]SystemUser `json:"users,omitempty" yaml:"users,omitempty"` -} - -type Metadata struct { - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified" yaml:"last-modified"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Locations *[]Location `json:"locations,omitempty" yaml:"locations,omitempty"` - OscalVersion string `json:"oscal-version" yaml:"oscal-version"` - Parties *[]Party `json:"parties,omitempty" yaml:"parties,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Revisions *[]Revision `json:"revisions,omitempty" yaml:"revisions,omitempty"` - Roles *[]Role `json:"roles,omitempty" yaml:"roles,omitempty"` - Title string `json:"title" yaml:"title"` - Version string `json:"version" yaml:"version"` -} - -type ReviewedControls struct { - ControlObjectiveSelections *[]ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Task struct { - AssociatedActivities *[]AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty"` - Dependencies *[]TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentPlanTermsAndConditions struct { - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` -} - -type ImportAp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Result struct { - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty"` - Attestations *[]AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty"` - Description string `json:"description" yaml:"description"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Findings *[]Finding `json:"findings,omitempty" yaml:"findings,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Control struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type Group struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type Parameter struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - ID string `json:"id" yaml:"id"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type Capability struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - IncorporatesComponents *[]IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DefinedComponent struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImportComponentDefinition struct { - Href string `json:"href" yaml:"href"` -} - -type PlanOfActionAndMilestonesLocalDefinitions struct { - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + Resources []ResourceElement `json:"resources,omitempty" yaml:"resources,omitempty" xml:"resources,omitempty"` +} + +// A resource associated with content in the containing document. A resource may be directly +// included in the document base64 encoded or may point to one or more equivalent internet +// resources. +type ResourceElement struct { + // The Base64 alphabet in RFC 2045 - aligned with XSD. + Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty" xml:"base64,omitempty"` + // A citation consisting of end note text and optional structured bibliographic data. + Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty" xml:"citation,omitempty"` + // A short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty" xml:"rlinks,omitempty"` + // A name given to the resource, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined resource elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The Base64 alphabet in RFC 2045 - aligned with XSD. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty" yaml:"filename,omitempty" xml:"filename,omitempty"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + Value string `json:"value" yaml:"value" xml:"value"` } -type Observation struct { - Collected time.Time `json:"collected" yaml:"collected"` - Description string `json:"description" yaml:"description"` - Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Methods []string `json:"methods" yaml:"methods"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelevantEvidence *[]RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Types *[]string `json:"types,omitempty" yaml:"types,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PoamItem struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} - -type Risk struct { - Characterizations *[]Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty"` - Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - MitigatingFactors *[]MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - Remediations *[]Response `json:"remediations,omitempty" yaml:"remediations,omitempty"` - RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty"` - Statement string `json:"statement" yaml:"statement"` - Status string `json:"status" yaml:"status"` - ThreatIds *[]ThreatId `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemId struct { - ID string `json:"id" yaml:"id"` - IdentifierType string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty"` -} - -type Import struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - Href string `json:"href" yaml:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` -} - -type Merge struct { - AsIs bool `json:"as-is,omitempty" yaml:"as-is,omitempty"` - Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty"` - Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty"` - Flat *Flat `json:"flat,omitempty" yaml:"flat,omitempty"` -} - -type Modify struct { - Alters *[]Alter `json:"alters,omitempty" yaml:"alters,omitempty"` - SetParameters *[]ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` -} - -type ControlImplementation struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirement `json:"implemented-requirements" yaml:"implemented-requirements"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` +// A citation consisting of end note text and optional structured bibliographic data. +type Citation struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A line of citation text. + Text string `json:"text" yaml:"text" xml:"text"` +} + +// A document identifier qualified by an identifier scheme. A document identifier provides a +// globally unique identifier with a cross-instance scope that is used for a group of +// documents that are to be treated as different versions of the same document. If this +// element does not appear, or if the value of this element is empty, the value of +// "document-id" is equal to the value of the "uuid" flag of the top-level root element. +type DocumentIdentifier struct { + Identifier string `json:"identifier" yaml:"identifier" xml:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *DocumentIdentificationScheme `json:"scheme,omitempty" yaml:"scheme,omitempty" xml:"scheme,omitempty"` +} + +// A pointer to an external resource with an optional hash for verification and change +// detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty" yaml:"hashes,omitempty" xml:"hashes,omitempty"` + // A resolvable URI reference to a resource. + Href string `json:"href" yaml:"href" xml:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` } -type ImportProfile struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // Method by which a hash is derived + Algorithm HashAlgorithm `json:"algorithm" yaml:"algorithm" xml:"algorithm"` + Value string `json:"value" yaml:"value" xml:"value"` } -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty"` - DateAuthorized string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level" yaml:"security-impact-level"` - SecuritySensitivityLevel string `json:"security-sensitivity-level" yaml:"security-sensitivity-level"` - Status Status `json:"status" yaml:"status"` - SystemIds []SystemId `json:"system-ids" yaml:"system-ids"` - SystemInformation SystemInformation `json:"system-information" yaml:"system-information"` - SystemName string `json:"system-name" yaml:"system-name"` - SystemNameShort string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty"` +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } -type SystemImplementation struct { - Components []SystemComponent `json:"components" yaml:"components"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - LeveragedAuthorizations *[]LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users []SystemUser `json:"users" yaml:"users"` -} - -type AssessmentPlatform struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UsesComponents *[]UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemComponent struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Status SystemComponentStatus `json:"status" yaml:"status"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SelectSubjectById struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Type string `json:"type" yaml:"type"` -} - -type IncludeAll = map[string]interface{} - -type Link struct { - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Rel string `json:"rel,omitempty" yaml:"rel,omitempty"` - Text string `json:"text,omitempty" yaml:"text,omitempty"` -} - -type Property struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` - Value string `json:"value" yaml:"value"` -} - -type Resource struct { - Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty"` - Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Rlinks *[]ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. type Activity struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedControls *ReviewedControls `json:"related-controls,omitempty" yaml:"related-controls,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Steps *[]Step `json:"steps,omitempty" yaml:"steps,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` + // A human-readable description of this included activity. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty" yaml:"related-controls,omitempty" xml:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty" yaml:"steps,omitempty" xml:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty" xml:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections" xml:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty" xml:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty" xml:"include-objectives,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id" yaml:"objective-id" xml:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeControls []SelectControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []SelectControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type SelectControl struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty" xml:"statement-ids,omitempty"` } +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty" xml:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A single managed inventory item within the system. type InventoryItem struct { - Description string `json:"description" yaml:"description"` - ImplementedComponents *[]ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type LocalObjective struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Parts []Part `json:"parts" yaml:"parts"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty" xml:"implemented-components,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Parts []Part `json:"parts" yaml:"parts" xml:"parts"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A partition of a control's definition or a child of another part. +type Part struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined part elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. type SystemUser struct { - AuthorizedPrivileges *[]AuthorizedPrivilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleIds *[]string `json:"role-ids,omitempty" yaml:"role-ids,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DocumentId struct { - Identifier string `json:"identifier" yaml:"identifier"` - Scheme string `json:"scheme,omitempty" yaml:"scheme,omitempty"` -} - + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty" xml:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty" yaml:"role-ids,omitempty" xml:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed" xml:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Provides information about the publication and availability of the containing document. +type PublicationMetadata struct { + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified" yaml:"last-modified" xml:"last-modified"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Locations []Location `json:"locations,omitempty" yaml:"locations,omitempty" xml:"locations,omitempty"` + OscalVersion string `json:"oscal-version" yaml:"oscal-version" xml:"oscal-version"` + Parties []PartyOrganizationOrPerson `json:"parties,omitempty" yaml:"parties,omitempty" xml:"parties,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty" yaml:"revisions,omitempty" xml:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty" yaml:"roles,omitempty" xml:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// A location, with associated metadata that can be referenced. type Location struct { - Address Address `json:"address" yaml:"address"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Urls *[]string `json:"urls,omitempty" yaml:"urls,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Party struct { - Addresses *[]Address `json:"addresses,omitempty" yaml:"addresses,omitempty"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - ExternalIds *[]PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocationUuids *[]string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty"` - MemberOfOrganizations *[]string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty"` - Name string `json:"name,omitempty" yaml:"name,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ResponsibleParty struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids []string `json:"party-uuids" yaml:"party-uuids"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` -} - -type Revision struct { - LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - OscalVersion string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Version string `json:"version" yaml:"version"` -} - + Address Address `json:"address" yaml:"address" xml:"address"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Urls []string `json:"urls,omitempty" yaml:"urls,omitempty" xml:"urls,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined location elsewhere in this or other OSCAL instances. The + // locally defined UUID of the location can be used to reference the data item locally or + // globally (e.g., from an importing OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty" xml:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty" yaml:"city,omitempty" xml:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty" yaml:"country,omitempty" xml:"country,omitempty"` + // Postal or ZIP code for mailing address + PostalCode *string `json:"postal-code,omitempty" yaml:"postal-code,omitempty" xml:"postal-code,omitempty"` + // State, province or analogous geographical region for mailing address + State *string `json:"state,omitempty" yaml:"state,omitempty" xml:"state,omitempty"` + // Indicates the type of address. + Type *AddressType `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// Contact number by telephone. +type TelephoneNumber struct { + Number string `json:"number" yaml:"number" xml:"number"` + // Indicates the type of phone number. + Type *TypeFlag `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// A responsible entity which is either a person or an organization. +type PartyOrganizationOrPerson struct { + Addresses []Address `json:"addresses,omitempty" yaml:"addresses,omitempty" xml:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty" xml:"external-ids,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty" xml:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty" xml:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty" yaml:"name,omitempty" xml:"name,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined party elsewhere in this or other OSCAL instances. The locally + // defined UUID of the party can be used to reference the data item locally or globally + // (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID) +type PartyExternalIdentifier struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Indicates the type of external identifier. + Scheme ExternalIdentifierSchema `json:"scheme" yaml:"scheme" xml:"scheme"` +} + +// An entry in a sequential list of revisions to the containing document in reverse +// chronological order (i.e., most recent previous revision first). +type RevisionHistoryEntry struct { + LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty" xml:"last-modified,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty" xml:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// Defines a function assumed or expected to be assumed by a party in a specific situation. type Role struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type ReferencedControlObjectives struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeObjectives *[]SelectObjectiveById `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeObjectives *[]SelectObjectiveById `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type AssessedControls struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeControls *[]SelectControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined role elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL + // instance must be referenced in the context of the containing resource (e.g., import, + // import-component-definition, import-profile, import-ssp or import-ap). This ID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ID string `json:"id" yaml:"id" xml:"id"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty" xml:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty" xml:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty" xml:"timing,omitempty"` + // The title for this task. + Title string `json:"title" yaml:"title" xml:"title"` + // The type of task. + Type TaskType `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. type AssociatedActivity struct { - ActivityUuid string `json:"activity-uuid" yaml:"activity-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid" yaml:"activity-uuid" xml:"activity-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } +// Used to indicate that a task is dependent on another task. type TaskDependency struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` -} - -type ResponsibleRole struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids *[]string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` } +// The timing under which the task is intended to occur. type EventTiming struct { - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty"` - OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty"` - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty"` + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty" xml:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty" xml:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty" xml:"within-date-range,omitempty"` } -type AssessmentPart struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} - -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries" yaml:"entries"` -} - -type AttestationStatements struct { - Parts []AssessmentPart `json:"parts" yaml:"parts"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period" yaml:"period" xml:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit" yaml:"unit" xml:"unit"` } -type Finding struct { - Description string `json:"description" yaml:"description"` - ImplementationStatementUuid string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Target FindingTarget `json:"target" yaml:"target"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date" yaml:"date" xml:"date"` } -type Part struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end" yaml:"end" xml:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start" yaml:"start" xml:"start"` } -type ParameterConstraint struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Tests *[]ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty"` +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` } -type ParameterGuideline struct { - Prose string `json:"prose" yaml:"prose"` +// A partition of an assessment plan or results or a child of another part. +type AssessmentPart struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name PartName `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap" yaml:"import-ap" xml:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Results []AssessmentResult `json:"results" yaml:"results" xml:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty" xml:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty" xml:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Findings []FindingElement `json:"findings,omitempty" yaml:"findings,omitempty" xml:"findings,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this set of results. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type ParameterSelection struct { - Choice *[]string `json:"choice,omitempty" yaml:"choice,omitempty"` - HowMany string `json:"how-many,omitempty" yaml:"how-many,omitempty"` +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this event. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty" xml:"identified-subject,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid" xml:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } -type ControlImplementationSet struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirementControlImplementation `json:"implemented-requirements" yaml:"implemented-requirements"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Source string `json:"source" yaml:"source"` - UUID string `json:"uuid" yaml:"uuid"` +// A set of textual statements, typically written by the assessor. +type AttestationStatements struct { + Parts []AssessmentPart `json:"parts" yaml:"parts" xml:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` +} + +// Describes an individual finding. +type FindingElement struct { + // A human-readable description of this finding. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty" xml:"implementation-statement-uuid,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Target TargetClass `json:"target" yaml:"target" xml:"target"` + // The title for this finding. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid" yaml:"actor-uuid" xml:"actor-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type" yaml:"type" xml:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status" yaml:"status" xml:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id" yaml:"target-id" xml:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type" yaml:"type" xml:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State ImplementationState `json:"state" yaml:"state" xml:"state"` } -type IncorporatesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *ObjectiveStatusReason `json:"reason,omitempty" yaml:"reason,omitempty" xml:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state" yaml:"state" xml:"state"` } -type Protocol struct { - Name string `json:"name" yaml:"name"` - PortRanges *[]PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } -type Origin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected" yaml:"collected" xml:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty" xml:"expires,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Methods []ObservationMethod `json:"methods" yaml:"methods" xml:"methods"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty" xml:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Types []ObservationType `json:"types,omitempty" yaml:"types,omitempty" xml:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description" yaml:"description" xml:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type SubjectUniversallyUniqueIdentifierReferenceType `json:"type" yaml:"type" xml:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty" xml:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty" xml:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty" xml:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty" yaml:"remediations,omitempty" xml:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty" xml:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement" yaml:"statement" xml:"statement"` + Status RiskStatus `json:"status" yaml:"status" xml:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty" xml:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets" yaml:"facets" xml:"facets"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origin FindingOrigin `json:"origin" yaml:"origin" xml:"origin"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type RelevantEvidence struct { - Description string `json:"description" yaml:"description"` - Href string `json:"href,omitempty" yaml:"href,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System NamingSystem `json:"system" yaml:"system" xml:"system"` + // Indicates the value of the facet. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty" xml:"implementation-uuid,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle RemediationIntent `json:"lifecycle" yaml:"lifecycle" xml:"lifecycle"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty" xml:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type SubjectReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty" xml:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + StatusChange *RiskStatus `json:"status-change,omitempty" yaml:"status-change,omitempty" xml:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid" yaml:"response-uuid" xml:"response-uuid"` } -type PoamItemOrigin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + ID string `json:"id" yaml:"id" xml:"id"` + // Specifies the source of the threat information. + System ThreatTypeIdentificationSystem `json:"system" yaml:"system" xml:"system"` } -type RelatedObservation struct { - ObservationUuid string `json:"observation-uuid" yaml:"observation-uuid"` +// A collection of controls. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + // A globally unique identifier with cross-instance scope for this catalog instance. This + // UUID should be changed when this document is revised. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A structured information object representing a security or privacy control. Each security +// or privacy control within the Catalog is defined by a distinct control instance. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + // A human-oriented, locally unique identifier with instance scope that can be used to + // reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This + // id should be assigned per-subject, which means it should be consistently used to identify + // the same control across revisions of the document. + ID string `json:"id" yaml:"id" xml:"id"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ID string `json:"id" yaml:"id" xml:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty" xml:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint + Expression string `json:"expression" yaml:"expression" xml:"expression"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } -type AssociatedRisk struct { - RiskUuid string `json:"risk-uuid" yaml:"risk-uuid"` +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose" yaml:"prose" xml:"prose"` } -type Characterization struct { - Facets []Facet `json:"facets" yaml:"facets"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origin Origin `json:"origin" yaml:"origin"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` +// Presenting a choice among alternatives +type Selection struct { + Choice []string `json:"choice,omitempty" yaml:"choice,omitempty" xml:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty" yaml:"how-many,omitempty" xml:"how-many,omitempty"` } -type MitigatingFactor struct { - Description string `json:"description" yaml:"description"` - ImplementationUuid string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Response struct { - Description string `json:"description" yaml:"description"` - Lifecycle string `json:"lifecycle" yaml:"lifecycle"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RequiredAssets *[]RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` +// A group of controls, or of groups of controls. +type ControlGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in in this and other OSCAL instances (e.g., + // profiles). This id should be assigned per-subject, which means it should be consistently + // used to identify the same group across revisions of the document. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty" xml:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty" xml:"import-component-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component definition elsewhere in this or other OSCAL instances. The + // locally defined UUID of the component definition can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description" yaml:"description" xml:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty" xml:"incorporates-components,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this capability elsewhere in this or other OSCAL instances. The locally + // defined UUID of the capability can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source" yaml:"source" xml:"source"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a set of implemented controls elsewhere in this or other OSCAL instances. + // The locally defined UUID of the control implementation set can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A suggestion for how the specified control may be implemented if the containing component + // or capability is instantiated in a system security plan. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a specific control implementation elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance).This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Values []string `json:"values" yaml:"values" xml:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// TBD +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type FluffyComponentType `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href" yaml:"href" xml:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty" xml:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items" yaml:"poam-items" xml:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty" yaml:"system-id,omitempty" xml:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. +type PoamItemOrigin struct { + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` } -type RiskLog struct { - Entries []RiskLogEntry `json:"entries" yaml:"entries"` +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` } -type ThreatId struct { - Href string `json:"href,omitempty" yaml:"href,omitempty"` - ID string `json:"id" yaml:"id"` - System string `json:"system" yaml:"system"` +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` } -type SelectControlById struct { - Matching *[]MatchControlsByPattern `json:"matching,omitempty" yaml:"matching,omitempty"` - WithChildControls string `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty"` - WithIds *[]string `json:"with-ids,omitempty" yaml:"with-ids,omitempty"` +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *IdentificationSystemType `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty" xml:"identifier-type,omitempty"` } +// Each OSCAL profile is defined by a Profile element +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Imports []ImportResource `json:"imports" yaml:"imports" xml:"imports"` + Merge *MergeControls `json:"merge,omitempty" yaml:"merge,omitempty" xml:"merge,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Modify *ModifyControls `json:"modify,omitempty" yaml:"modify,omitempty" xml:"modify,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this profile elsewhere in this or other OSCAL instances. The locally defined + // UUID of the profile can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance).This identifier should be assigned per-subject, which means + // it should be consistently used to identify the same profile across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The import designates a catalog or profile to be included (referenced and potentially +// modified) by this profile. The import also identifies which controls to select using the +// include-all, include-controls, and exclude-controls directives. +type ImportResource struct { + ExcludeControls []Call `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href" yaml:"href" xml:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` +} + +// Call a control by its ID +type Call struct { + Matching []MatchControlsByPattern `json:"matching,omitempty" yaml:"matching,omitempty" xml:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty" xml:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty" yaml:"with-ids,omitempty" xml:"with-ids,omitempty"` +} + +// Select controls by (regular expression) match on ID +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty" yaml:"pattern,omitempty" xml:"pattern,omitempty"` +} + +// A Merge element provides structuring directives that drive how controls are organized +// after resolution. +type MergeControls struct { + // An As-is element indicates that the controls should be structured in resolution as they + // are structured in their source catalogs. It does not contain any elements or attributes. + AsIs *bool `json:"as-is,omitempty" yaml:"as-is,omitempty" xml:"as-is,omitempty"` + // A Combine element defines how to combine multiple (competing) versions of the same + // control. + Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty" xml:"combine,omitempty"` + // A Custom element frames a structure for embedding represented controls in resolution. + Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty" xml:"custom,omitempty"` + // Use the flat structuring method. + Flat *Flat `json:"flat,omitempty" yaml:"flat,omitempty" xml:"flat,omitempty"` +} + +// A Combine element defines how to combine multiple (competing) versions of the same +// control. type CombinationRule struct { - Method string `json:"method,omitempty" yaml:"method,omitempty"` + // How clashing controls should be handled + Method *CombinationMethod `json:"method,omitempty" yaml:"method,omitempty" xml:"method,omitempty"` } +// A Custom element frames a structure for embedding represented controls in resolution. type CustomGrouping struct { - Groups *[]ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` -} - -type Flat = map[string]interface{} - -type Alter struct { - Adds *[]Add `json:"adds,omitempty" yaml:"adds,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Removes *[]Remove `json:"removes,omitempty" yaml:"removes,omitempty"` + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same group across revisions of the + // document. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Specifies which controls to use in the containing context. +type SelectControls struct { + ExcludeControls []Call `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty" yaml:"order,omitempty" xml:"order,omitempty"` +} + +// Use the flat structuring method. +type Flat struct { +} + +// Set parameters or amend controls in resolution +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty" yaml:"alters,omitempty" xml:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` +} + +// An Alter element specifies changes to be made to an included control when a profile is +// resolved. +type Alteration struct { + Adds []Addition `json:"adds,omitempty" yaml:"adds,omitempty" xml:"adds,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Removes []Removal `json:"removes,omitempty" yaml:"removes,omitempty" xml:"removes,omitempty"` +} + +// Specifies contents to be added into controls, in resolution +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside it) + Position *Position `json:"position,omitempty" yaml:"position,omitempty" xml:"position,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty" yaml:"by-class,omitempty" xml:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + // Identify items to remove by the name of the item's information element name, e.g. title + // or prop + ByItemName *string `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty" xml:"by-item-name,omitempty"` + // Identify items to remove by matching their assigned name + ByName *string `json:"by-name,omitempty" yaml:"by-name,omitempty" xml:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty" yaml:"by-ns,omitempty" xml:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion +type ParameterSetting struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18 +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation" yaml:"control-implementation" xml:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile" xml:"import-profile"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics" xml:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation" xml:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty" yaml:"export,omitempty" xml:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty" xml:"inherited,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty" xml:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty" xml:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty" xml:"responsibilities,omitempty"` } -type ParameterSetting struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - ParamId string `json:"param-id" yaml:"param-id"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type ImplementedRequirement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]Statement `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SetParameter struct { - ParamId string `json:"param-id" yaml:"param-id"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Values []string `json:"values" yaml:"values"` +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty" xml:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary" xml:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty" xml:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty" xml:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty" xml:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level" yaml:"security-impact-level" xml:"security-impact-level"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel string `json:"security-sensitivity-level" yaml:"security-sensitivity-level" xml:"security-sensitivity-level"` + Status SystemCharacteristicsStatus `json:"status" yaml:"status" xml:"status"` + SystemIDS []SystemIdentification `json:"system-ids" yaml:"system-ids" xml:"system-ids"` + SystemInformation SystemInformation `json:"system-information" yaml:"system-information" xml:"system-information"` + // The full name of the system. + SystemName string `json:"system-name" yaml:"system-name" xml:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty" xml:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. type AuthorizationBoundary struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's authorization boundary. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty" yaml:"caption,omitempty" xml:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. type DataFlow struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's data flow. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. type NetworkArchitecture struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's network architecture. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. type SecurityImpactLevel struct { - SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability"` - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality"` - SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity"` -} - -type Status struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability" xml:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality" xml:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity" xml:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state" yaml:"state" xml:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. type SystemInformation struct { - InformationTypes []InformationType `json:"information-types" yaml:"information-types"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` -} - -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized" yaml:"date-authorized"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type UsesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` -} - -type SystemComponentStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type Base64 struct { - Filename string `json:"filename,omitempty" yaml:"filename,omitempty"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Value string `json:"value" yaml:"value"` -} - -type Citation struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Text string `json:"text" yaml:"text"` -} - -type ResourceLink struct { - Hashes *[]Hash `json:"hashes,omitempty" yaml:"hashes,omitempty"` - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` + InformationTypes []InformationType `json:"information-types" yaml:"information-types" xml:"information-types"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type Step struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControls `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + // The expected level of impact resulting from the disruption of access to or use of the + // described information or the information system. + AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact" yaml:"availability-impact" xml:"availability-impact"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty" xml:"categorizations,omitempty"` + // The expected level of impact resulting from the unauthorized disclosure of the described + // information. + ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact" yaml:"confidentiality-impact" xml:"confidentiality-impact"` + // A summary of how this information type is used within the system. + Description string `json:"description" yaml:"description" xml:"description"` + // The expected level of impact resulting from the unauthorized modification of the + // described information. + IntegrityImpact IntegrityImpactLevel `json:"integrity-impact" yaml:"integrity-impact" xml:"integrity-impact"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// The expected level of impact resulting from the disruption of access to or use of the +// described information or the information system. +type AvailabilityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` } -type ImplementedComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty" xml:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System InformationTypeIdentificationSystem `json:"system" yaml:"system" xml:"system"` } -type AuthorizedPrivilege struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed"` - Title string `json:"title" yaml:"title"` +// The expected level of impact resulting from the unauthorized disclosure of the described +// information. +type ConfidentialityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` } -type Address struct { - AddrLines *[]string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty"` - City string `json:"city,omitempty" yaml:"city,omitempty"` - Country string `json:"country,omitempty" yaml:"country,omitempty"` - PostalCode string `json:"postal-code,omitempty" yaml:"postal-code,omitempty"` - State string `json:"state,omitempty" yaml:"state,omitempty"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` +// The expected level of impact resulting from the unauthorized modification of the +// described information. +type IntegrityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` } -type TelephoneNumber struct { - Number string `json:"number" yaml:"number"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components" yaml:"components" xml:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty" xml:"leveraged-authorizations,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users" yaml:"users" xml:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized" yaml:"date-authorized" xml:"date-authorized"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type Relation string + +const ( + Reference Relation = "reference" +) -type PartyExternalIdentifier struct { - ID string `json:"id" yaml:"id"` - Scheme string `json:"scheme" yaml:"scheme"` -} +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type PropertyName string + +const ( + Marking PropertyName = "marking" +) -type SelectObjectiveById struct { - ObjectiveId string `json:"objective-id" yaml:"objective-id"` -} +// Indicates the transport type. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) -type SelectControl struct { - ControlId string `json:"control-id" yaml:"control-id"` - StatementIds *[]string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty"` -} +// The operational status. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) -type FrequencyCondition struct { - Period int `json:"period" yaml:"period"` - Unit string `json:"unit" yaml:"unit"` -} +// A category describing the purpose of the component. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type PurpleComponentType string + +const ( + Network PurpleComponentType = "network" + PurpleGuidance PurpleComponentType = "guidance" + PurpleHardware PurpleComponentType = "hardware" + PurpleInterconnection PurpleComponentType = "interconnection" + PurplePhysical PurpleComponentType = "physical" + PurplePlan PurpleComponentType = "plan" + PurplePolicy PurpleComponentType = "policy" + PurpleProcessProcedure PurpleComponentType = "process-procedure" + PurpleService PurpleComponentType = "service" + PurpleSoftware PurpleComponentType = "software" + PurpleStandard PurpleComponentType = "standard" + PurpleValidation PurpleComponentType = "validation" + System PurpleComponentType = "system" + ThisSystem PurpleComponentType = "this-system" +) -type OnDateCondition struct { - Date time.Time `json:"date" yaml:"date"` -} +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type SubjectUniversallyUniqueIdentifierReferenceType string + +const ( + Resource SubjectUniversallyUniqueIdentifierReferenceType = "resource" + SubjectUniversallyUniqueIdentifierReferenceTypeComponent SubjectUniversallyUniqueIdentifierReferenceType = "component" + SubjectUniversallyUniqueIdentifierReferenceTypeInventoryItem SubjectUniversallyUniqueIdentifierReferenceType = "inventory-item" + SubjectUniversallyUniqueIdentifierReferenceTypeLocation SubjectUniversallyUniqueIdentifierReferenceType = "location" + SubjectUniversallyUniqueIdentifierReferenceTypeParty SubjectUniversallyUniqueIdentifierReferenceType = "party" + SubjectUniversallyUniqueIdentifierReferenceTypeUser SubjectUniversallyUniqueIdentifierReferenceType = "user" +) -type OnDateRangeCondition struct { - End time.Time `json:"end" yaml:"end"` - Start time.Time `json:"start" yaml:"start"` -} +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type SubjectType string + +const ( + SubjectTypeComponent SubjectType = "component" + SubjectTypeInventoryItem SubjectType = "inventory-item" + SubjectTypeLocation SubjectType = "location" + SubjectTypeParty SubjectType = "party" + SubjectTypeUser SubjectType = "user" +) -type AssessmentLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type FindingTarget struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Status ObjectiveStatus `json:"status" yaml:"status"` - TargetId string `json:"target-id" yaml:"target-id"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` -} +// Qualifies the kind of document identifier using a URI. If the scheme is not provided the +// value of the element will be interpreted as a string of characters. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type DocumentIdentificationScheme string + +const ( + HTTPWWWDoiOrg DocumentIdentificationScheme = "http://www.doi.org/" +) -type ConstraintTest struct { - Expression string `json:"expression" yaml:"expression"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} +// Method by which a hash is derived +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type HashAlgorithm string + +const ( + SHA224 HashAlgorithm = "SHA-224" + SHA256 HashAlgorithm = "SHA-256" + SHA384 HashAlgorithm = "SHA-384" + SHA512 HashAlgorithm = "SHA-512" + Sha3224 HashAlgorithm = "SHA3-224" + Sha3256 HashAlgorithm = "SHA3-256" + Sha3384 HashAlgorithm = "SHA3-384" + Sha3512 HashAlgorithm = "SHA3-512" +) -type ImplementedRequirementControlImplementation struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Indicates the type of address. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type AddressType string + +const ( + AddressTypeHome AddressType = "home" + Work AddressType = "work" +) -type PortRange struct { - End int `json:"end,omitempty" yaml:"end,omitempty"` - Start int `json:"start,omitempty" yaml:"start,omitempty"` - Transport string `json:"transport,omitempty" yaml:"transport,omitempty"` -} +// Indicates the type of phone number. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type TypeFlag string + +const ( + Mobile TypeFlag = "mobile" + Office TypeFlag = "office" + TypeFlagHome TypeFlag = "home" +) -type OriginActor struct { - ActorUuid string `json:"actor-uuid" yaml:"actor-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` - Type string `json:"type" yaml:"type"` -} +// Indicates the type of external identifier. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type ExternalIdentifierSchema string + +const ( + HTTPOrcidOrg ExternalIdentifierSchema = "http://orcid.org/" +) -type RelatedTask struct { - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` -} +// A category describing the kind of party the object describes. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) -type Facet struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - System string `json:"system" yaml:"system"` - Value string `json:"value" yaml:"value"` -} +// The unit of time for the period. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) -type RequiredAsset struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The type of task. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type TaskType string + +const ( + Action TaskType = "action" + Milestone TaskType = "milestone" +) -type RiskLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedResponses *[]RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - StatusChange string `json:"status-change,omitempty" yaml:"status-change,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type PartName string + +const ( + Asset PartName = "asset" + Method PartName = "method" + Objective PartName = "objective" +) -type MatchControlsByPattern struct { - Pattern string `json:"pattern,omitempty" yaml:"pattern,omitempty"` -} +// The kind of actor. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ActorType string + +const ( + ActorTypeParty ActorType = "party" + AssessmentPlatform ActorType = "assessment-platform" + Tool ActorType = "tool" +) -type ControlGroup struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Groups *[]ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type InsertControls struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Order string `json:"order,omitempty" yaml:"order,omitempty"` -} - -type Add struct { - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Position string `json:"position,omitempty" yaml:"position,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` -} - -type Remove struct { - ByClass string `json:"by-class,omitempty" yaml:"by-class,omitempty"` - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - ByItemName string `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty"` - ByName string `json:"by-name,omitempty" yaml:"by-name,omitempty"` - ByNs string `json:"by-ns,omitempty" yaml:"by-ns,omitempty"` -} - -type ByComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` - Export *Export `json:"export,omitempty" yaml:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Inherited *[]InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Satisfied *[]SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Statement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Identifies the implementation status of the control or control objective. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ImplementationState string + +const ( + Alternative ImplementationState = "alternative" + ImplementationStatePlanned ImplementationState = "planned" + Implemented ImplementationState = "implemented" + NotApplicable ImplementationState = "not-applicable" + Partial ImplementationState = "partial" +) -type Diagram struct { - Caption string `json:"caption,omitempty" yaml:"caption,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The reason the objective was given it's status. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ObjectiveStatusReason string + +const ( + Fail ObjectiveStatusReason = "fail" + ObjectiveStatusReasonOther ObjectiveStatusReason = "other" + Pass ObjectiveStatusReason = "pass" +) -type InformationType struct { - AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact" yaml:"availability-impact"` - Categorizations *[]InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty"` - ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact" yaml:"confidentiality-impact"` - Description string `json:"description" yaml:"description"` - IntegrityImpact IntegrityImpactLevel `json:"integrity-impact" yaml:"integrity-impact"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} +// An indication as to whether the objective is satisfied or not. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) -type Hash struct { - Algorithm string `json:"algorithm" yaml:"algorithm"` - Value string `json:"value" yaml:"value"` -} +// Identifies the type of the target. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) -type LoggedBy struct { - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` -} +// Identifies how the observation was made. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type ObservationMethod string + +const ( + Examine ObservationMethod = "EXAMINE" + Interview ObservationMethod = "INTERVIEW" + Test ObservationMethod = "TEST" + Unknown ObservationMethod = "UNKNOWN" +) -type ImplementationStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ObservationType string + +const ( + ControlObjective ObservationType = "control-objective" + Finding ObservationType = "finding" + Historic ObservationType = "historic" + Mitigation ObservationType = "mitigation" + SSPStatementIssue ObservationType = "ssp-statement-issue" +) -type ObjectiveStatus struct { - Reason string `json:"reason,omitempty" yaml:"reason,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} +// Specifies the naming system under which this risk metric is organized, which allows for +// the same names to be used in different systems controlled by different parties. This +// avoids the potential of a name clash. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type NamingSystem string + +const ( + HTTPCsrcNISTGovNSOscal NamingSystem = "http://csrc.nist.gov/ns/oscal" + HTTPCsrcNISTGovNSOscalUnknown NamingSystem = "http://csrc.nist.gov/ns/oscal/unknown" + HTTPCveMitreOrg NamingSystem = "http://cve.mitre.org" + HTTPWWWFirstOrgCvssV20 NamingSystem = "http://www.first.org/cvss/v2.0" + HTTPWWWFirstOrgCvssV30 NamingSystem = "http://www.first.org/cvss/v3.0" + HTTPWWWFirstOrgCvssV31 NamingSystem = "http://www.first.org/cvss/v3.1" + NamingSystemHTTPFedrampGov NamingSystem = "http://fedramp.gov" + NamingSystemHTTPFedrampGovNSOscal NamingSystem = "http://fedramp.gov/ns/oscal" +) -type ControlStatementImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type RemediationIntent string + +const ( + Completed RemediationIntent = "completed" + Recommendation RemediationIntent = "recommendation" + RemediationIntentPlanned RemediationIntent = "planned" +) -type IdentifiedSubject struct { - SubjectPlaceholderUuid string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` -} +// Describes the status of the associated risk. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type RiskStatus string + +const ( + Closed RiskStatus = "closed" + DeviationApproved RiskStatus = "deviation-approved" + DeviationRequested RiskStatus = "deviation-requested" + Investigating RiskStatus = "investigating" + Open RiskStatus = "open" + Remediating RiskStatus = "remediating" +) -type RiskResponseReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponseUuid string `json:"response-uuid" yaml:"response-uuid"` -} +// Specifies the source of the threat information. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type ThreatTypeIdentificationSystem string + +const ( + ThreatTypeIdentificationSystemHTTPFedrampGov ThreatTypeIdentificationSystem = "http://fedramp.gov" + ThreatTypeIdentificationSystemHTTPFedrampGovNSOscal ThreatTypeIdentificationSystem = "http://fedramp.gov/ns/oscal" +) -type Export struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Provided *[]ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Responsibilities *[]ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty"` -} +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) -type InheritedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// A category describing the purpose of the component. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type FluffyComponentType string + +const ( + FluffyGuidance FluffyComponentType = "guidance" + FluffyHardware FluffyComponentType = "hardware" + FluffyInterconnection FluffyComponentType = "interconnection" + FluffyPhysical FluffyComponentType = "physical" + FluffyPlan FluffyComponentType = "plan" + FluffyPolicy FluffyComponentType = "policy" + FluffyProcessProcedure FluffyComponentType = "process-procedure" + FluffyService FluffyComponentType = "service" + FluffySoftware FluffyComponentType = "software" + FluffyStandard FluffyComponentType = "standard" + FluffyValidation FluffyComponentType = "validation" +) -type SatisfiedControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibilityUuid string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Identifies the identification system from which the provided identifier was assigned. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type IdentificationSystemType string + +const ( + HTTPIETFOrgRFCRfc4122 IdentificationSystemType = "http://ietf.org/rfc/rfc4122" + HTTPSFedrampGov IdentificationSystemType = "https://fedramp.gov" + HTTPSIETFOrgRFCRfc4122 IdentificationSystemType = "https://ietf.org/rfc/rfc4122" + IdentificationSystemTypeHTTPFedrampGovNSOscal IdentificationSystemType = "http://fedramp.gov/ns/oscal" +) -type AvailabilityImpactLevel struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// When a control is included, whether its child (dependent) controls are also included. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) -type InformationTypeCategorization struct { - InformationTypeIds *[]string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty"` - System string `json:"system" yaml:"system"` -} +// How clashing controls should be handled +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) -type ConfidentialityImpactLevel struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// A designation of how a selection of controls in a profile is to be ordered. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) -type IntegrityImpactLevel struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// Where to add the new content with respect to the targeted element (beside it or inside +// it) +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) -type ProvidedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The current operating status. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) -type ControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Specifies the information type identification system used. +// +// A namespace qualifying the property's name. This allows different organizations to +// associate distinct semantics with the same name. +// +// A namespace qualifying the part's name. This allows different organizations to associate +// distinct semantics with the same name. +// +// The uniform resource locator (URL) for a web site or Internet presence associated with +// the location. +type InformationTypeIdentificationSystem string + +const ( + HTTPDoiOrg106028NISTSP80060V2R1 InformationTypeIdentificationSystem = "http://doi.org/10.6028/NIST.SP.800-60v2r1" +) diff --git a/src/types/oscal-1-0-6/types.go b/src/types/oscal-1-0-6/types.go index 7045cc0a..473d949b 100644 --- a/src/types/oscal-1-0-6/types.go +++ b/src/types/oscal-1-0-6/types.go @@ -1,1268 +1,3729 @@ -/* -This file was auto-generated with go-oscal. +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() -To regenerate: - - go-oscal generate \ - --input-file \ - --output-file // the path to this file must already exist \ - --tags json,yaml // the tags to add to the Go structs \ - --pkg // defaults to "main" - -For more information on how to use go-oscal: go-oscal --help - -Source: https://github.com/defenseunicorns/go-oscal -*/ package oscalTypes_1_0_6 -import ( - "time" -) - -type OscalModels = OscalCompleteSchema -type OscalCompleteSchema struct { - AssessmentPlan *AssessmentPlan `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty"` - AssessmentResults *AssessmentResults `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty"` - Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestones `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty"` - Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty"` - SystemSecurityPlan *SystemSecurityPlan `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty"` -} - -type AssessmentPlan struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty"` - AssessmentSubjects *[]AssessmentSubject `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportSsp ImportSsp `json:"import-ssp" yaml:"import-ssp"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentResults struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportAp ImportAp `json:"import-ap" yaml:"import-ap"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Results []Result `json:"results" yaml:"results"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Capabilities *[]Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty"` - Components *[]DefinedComponent `json:"components,omitempty" yaml:"components,omitempty"` - ImportComponentDefinitions *[]ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PlanOfActionAndMilestones struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportSsp *ImportSsp `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - PoamItems []PoamItem `json:"poam-items" yaml:"poam-items"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - SystemId *SystemId `json:"system-id,omitempty" yaml:"system-id,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Imports []Import `json:"imports" yaml:"imports"` - Merge *Merge `json:"merge,omitempty" yaml:"merge,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Modify *Modify `json:"modify,omitempty" yaml:"modify,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemSecurityPlan struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ControlImplementation ControlImplementation `json:"control-implementation" yaml:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation"` - UUID string `json:"uuid" yaml:"uuid"` -} - +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Schema *string `json:"$schema,omitempty" yaml:"$schema,omitempty" xml:"$schema,omitempty"` + Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty" xml:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty" xml:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty" xml:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty" xml:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty" xml:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty" xml:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty" xml:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty" xml:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp" yaml:"import-ssp" xml:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty" xml:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatform `json:"assessment-platforms" yaml:"assessment-platforms"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms" yaml:"assessment-platforms" xml:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty" xml:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A reference to a local or remote resource +type Link struct { + // A resolvable URL reference to a resource. + Href string `json:"href" yaml:"href" xml:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + // Describes the type of relationship provided by the link. This can be an indicator of the + // link's purpose. + Rel *string `json:"rel,omitempty" yaml:"rel,omitempty" xml:"rel,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty" yaml:"text,omitempty" xml:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. The value of a property is a simple scalar value, +// which may be expressed as a list of values. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. This + // can be used to further distinguish or discriminate between the semantics of multiple + // properties of the same object with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // A textual label that uniquely identifies a specific attribute, characteristic, or quality + // of the property's containing object. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined property elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } -type AssessmentSubject struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeSubjects *[]SelectSubjectById `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeSubjects *[]SelectSubjectById `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Type string `json:"type" yaml:"type"` +// A reference to a set of organizations or persons that have responsibility for performing +// a referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids" yaml:"party-uuids" xml:"party-uuids"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human-oriented identifier reference to roles served by the user. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status" yaml:"status" xml:"status"` + // A human readable name for the system component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name" yaml:"name" xml:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty" xml:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty" yaml:"start,omitempty" xml:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty" yaml:"transport,omitempty" xml:"transport,omitempty"` } +// A reference to one or more roles with responsibility for performing a function relative +// to the containing object. +type ResponsibleRole struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty" xml:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human-oriented identifier reference to roles responsible for the business function. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state" yaml:"state" xml:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty" xml:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty" xml:"include-subjects,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources, which may be included directly or by reference. type BackMatter struct { - Resources *[]Resource `json:"resources,omitempty" yaml:"resources,omitempty"` -} - -type ImportSsp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type LocalDefinitions struct { - Activities *[]Activity `json:"activities,omitempty" yaml:"activities,omitempty"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - ObjectivesAndMethods *[]LocalObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users *[]SystemUser `json:"users,omitempty" yaml:"users,omitempty"` -} - -type Metadata struct { - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified" yaml:"last-modified"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Locations *[]Location `json:"locations,omitempty" yaml:"locations,omitempty"` - OscalVersion string `json:"oscal-version" yaml:"oscal-version"` - Parties *[]Party `json:"parties,omitempty" yaml:"parties,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Revisions *[]Revision `json:"revisions,omitempty" yaml:"revisions,omitempty"` - Roles *[]Role `json:"roles,omitempty" yaml:"roles,omitempty"` - Title string `json:"title" yaml:"title"` - Version string `json:"version" yaml:"version"` -} - -type ReviewedControls struct { - ControlObjectiveSelections *[]ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Task struct { - AssociatedActivities *[]AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty"` - Dependencies *[]TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentPlanTermsAndConditions struct { - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` + Resources []Resource `json:"resources,omitempty" yaml:"resources,omitempty" xml:"resources,omitempty"` } -type ImportAp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Result struct { - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty"` - Attestations *[]AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty"` - Description string `json:"description" yaml:"description"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Findings *[]Finding `json:"findings,omitempty" yaml:"findings,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Control struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type Group struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type Parameter struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - ID string `json:"id" yaml:"id"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type Capability struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - IncorporatesComponents *[]IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DefinedComponent struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImportComponentDefinition struct { - Href string `json:"href" yaml:"href"` -} - -type PlanOfActionAndMilestonesLocalDefinitions struct { - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Observation struct { - Collected time.Time `json:"collected" yaml:"collected"` - Description string `json:"description" yaml:"description"` - Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Methods []string `json:"methods" yaml:"methods"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelevantEvidence *[]RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Types *[]string `json:"types,omitempty" yaml:"types,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PoamItem struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} - -type Risk struct { - Characterizations *[]Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty"` - Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - MitigatingFactors *[]MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - Remediations *[]Response `json:"remediations,omitempty" yaml:"remediations,omitempty"` - RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty"` - Statement string `json:"statement" yaml:"statement"` - Status string `json:"status" yaml:"status"` - ThreatIds *[]ThreatId `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemId struct { - ID string `json:"id" yaml:"id"` - IdentifierType string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty"` -} - -type Import struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - Href string `json:"href" yaml:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` -} - -type Merge struct { - AsIs bool `json:"as-is,omitempty" yaml:"as-is,omitempty"` - Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty"` - Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty"` - Flat *Flat `json:"flat,omitempty" yaml:"flat,omitempty"` -} - -type Modify struct { - Alters *[]Alter `json:"alters,omitempty" yaml:"alters,omitempty"` - SetParameters *[]ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` -} - -type ControlImplementation struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirement `json:"implemented-requirements" yaml:"implemented-requirements"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` -} - -type ImportProfile struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A resource associated with content in the containing document. A resource may be directly +// included in the document base64 encoded or may point to one or more equivalent internet +// resources. +type Resource struct { + // The Base64 alphabet in RFC 2045 - aligned with XSD. + Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty" xml:"base64,omitempty"` + // A citation consisting of end note text and optional structured bibliographic data. + Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty" xml:"citation,omitempty"` + // A short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty" xml:"rlinks,omitempty"` + // A name given to the resource, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined resource elsewhere in this or other OSCAL instances. This UUID + // should be assigned per-subject, which means it should be consistently used to identify + // the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The Base64 alphabet in RFC 2045 - aligned with XSD. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty" yaml:"filename,omitempty" xml:"filename,omitempty"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + Value string `json:"value" yaml:"value" xml:"value"` } -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty"` - DateAuthorized string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level" yaml:"security-impact-level"` - SecuritySensitivityLevel string `json:"security-sensitivity-level" yaml:"security-sensitivity-level"` - Status Status `json:"status" yaml:"status"` - SystemIds []SystemId `json:"system-ids" yaml:"system-ids"` - SystemInformation SystemInformation `json:"system-information" yaml:"system-information"` - SystemName string `json:"system-name" yaml:"system-name"` - SystemNameShort string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty"` +// A citation consisting of end note text and optional structured bibliographic data. +type Citation struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A line of citation text. + Text string `json:"text" yaml:"text" xml:"text"` +} + +// A document identifier qualified by an identifier scheme. A document identifier provides a +// globally unique identifier with a cross-instance scope that is used for a group of +// documents that are to be treated as different versions of the same document. If this +// element does not appear, or if the value of this element is empty, the value of +// "document-id" is equal to the value of the "uuid" flag of the top-level root element. +type DocumentIdentifier struct { + Identifier string `json:"identifier" yaml:"identifier" xml:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *string `json:"scheme,omitempty" yaml:"scheme,omitempty" xml:"scheme,omitempty"` +} + +// A pointer to an external resource with an optional hash for verification and change +// detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty" yaml:"hashes,omitempty" xml:"hashes,omitempty"` + // A resolvable URI reference to a resource. + Href string `json:"href" yaml:"href" xml:"href"` + // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media + // Types Registry. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` } -type SystemImplementation struct { - Components []SystemComponent `json:"components" yaml:"components"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - LeveragedAuthorizations *[]LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users []SystemUser `json:"users" yaml:"users"` -} - -type AssessmentPlatform struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UsesComponents *[]UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemComponent struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Status SystemComponentStatus `json:"status" yaml:"status"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SelectSubjectById struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Type string `json:"type" yaml:"type"` -} - -type IncludeAll = map[string]interface{} - -type Link struct { - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Rel string `json:"rel,omitempty" yaml:"rel,omitempty"` - Text string `json:"text,omitempty" yaml:"text,omitempty"` +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // Method by which a hash is derived + Algorithm string `json:"algorithm" yaml:"algorithm" xml:"algorithm"` + Value string `json:"value" yaml:"value" xml:"value"` } -type Property struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` - Value string `json:"value" yaml:"value"` +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } -type Resource struct { - Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty"` - Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Rlinks *[]ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. type Activity struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedControls *ReviewedControls `json:"related-controls,omitempty" yaml:"related-controls,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Steps *[]Step `json:"steps,omitempty" yaml:"steps,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` + // A human-readable description of this included activity. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty" yaml:"related-controls,omitempty" xml:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty" yaml:"steps,omitempty" xml:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty" xml:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections" xml:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty" xml:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty" xml:"include-objectives,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id" yaml:"objective-id" xml:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeControls []SelectControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []SelectControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type SelectControl struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty" xml:"statement-ids,omitempty"` } +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty" xml:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A single managed inventory item within the system. type InventoryItem struct { - Description string `json:"description" yaml:"description"` - ImplementedComponents *[]ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type LocalObjective struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Parts []Part `json:"parts" yaml:"parts"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty" xml:"implemented-components,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Parts []Part `json:"parts" yaml:"parts" xml:"parts"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A partition of a control's definition or a child of another part. +type Part struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined part elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. type SystemUser struct { - AuthorizedPrivileges *[]AuthorizedPrivilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleIds *[]string `json:"role-ids,omitempty" yaml:"role-ids,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DocumentId struct { - Identifier string `json:"identifier" yaml:"identifier"` - Scheme string `json:"scheme,omitempty" yaml:"scheme,omitempty"` -} - + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty" xml:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty" yaml:"role-ids,omitempty" xml:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed" xml:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Provides information about the publication and availability of the containing document. +type PublicationMetadata struct { + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified" yaml:"last-modified" xml:"last-modified"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Locations []Location `json:"locations,omitempty" yaml:"locations,omitempty" xml:"locations,omitempty"` + OscalVersion string `json:"oscal-version" yaml:"oscal-version" xml:"oscal-version"` + Parties []PartyOrganizationOrPerson `json:"parties,omitempty" yaml:"parties,omitempty" xml:"parties,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty" yaml:"revisions,omitempty" xml:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty" yaml:"roles,omitempty" xml:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// A location, with associated metadata that can be referenced. type Location struct { - Address Address `json:"address" yaml:"address"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Urls *[]string `json:"urls,omitempty" yaml:"urls,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Party struct { - Addresses *[]Address `json:"addresses,omitempty" yaml:"addresses,omitempty"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - ExternalIds *[]PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocationUuids *[]string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty"` - MemberOfOrganizations *[]string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty"` - Name string `json:"name,omitempty" yaml:"name,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ResponsibleParty struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids []string `json:"party-uuids" yaml:"party-uuids"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` -} - -type Revision struct { - LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - OscalVersion string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Version string `json:"version" yaml:"version"` -} - + Address Address `json:"address" yaml:"address" xml:"address"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Urls []string `json:"urls,omitempty" yaml:"urls,omitempty" xml:"urls,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined location elsewhere in this or other OSCAL instances. The + // locally defined UUID of the location can be used to reference the data item locally or + // globally (e.g., from an importing OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty" xml:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty" yaml:"city,omitempty" xml:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty" yaml:"country,omitempty" xml:"country,omitempty"` + // Postal or ZIP code for mailing address + PostalCode *string `json:"postal-code,omitempty" yaml:"postal-code,omitempty" xml:"postal-code,omitempty"` + // State, province or analogous geographical region for mailing address + State *string `json:"state,omitempty" yaml:"state,omitempty" xml:"state,omitempty"` + // Indicates the type of address. + Type *string `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// Contact number by telephone. +type TelephoneNumber struct { + Number string `json:"number" yaml:"number" xml:"number"` + // Indicates the type of phone number. + Type *string `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// A responsible entity which is either a person or an organization. +type PartyOrganizationOrPerson struct { + Addresses []Address `json:"addresses,omitempty" yaml:"addresses,omitempty" xml:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty" xml:"external-ids,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty" xml:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty" xml:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty" yaml:"name,omitempty" xml:"name,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this defined party elsewhere in this or other OSCAL instances. The locally + // defined UUID of the party can be used to reference the data item locally or globally + // (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID) +type PartyExternalIdentifier struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Indicates the type of external identifier. + Scheme string `json:"scheme" yaml:"scheme" xml:"scheme"` +} + +// An entry in a sequential list of revisions to the containing document in reverse +// chronological order (i.e., most recent previous revision first). +type RevisionHistoryEntry struct { + LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty" xml:"last-modified,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty" xml:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// Defines a function assumed or expected to be assumed by a party in a specific situation. type Role struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title" yaml:"title"` + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined role elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL + // instance must be referenced in the context of the containing resource (e.g., import, + // import-component-definition, import-profile, import-ssp or import-ap). This ID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ID string `json:"id" yaml:"id" xml:"id"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty" xml:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty" xml:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty" xml:"timing,omitempty"` + // The title for this task. + Title string `json:"title" yaml:"title" xml:"title"` + // The type of task. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. +type AssociatedActivity struct { + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid" yaml:"activity-uuid" xml:"activity-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } -type ReferencedControlObjectives struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeObjectives *[]SelectObjectiveById `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeObjectives *[]SelectObjectiveById `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// Used to indicate that a task is dependent on another task. +type TaskDependency struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` } -type AssessedControls struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeControls *[]SelectControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// The timing under which the task is intended to occur. +type EventTiming struct { + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty" xml:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty" xml:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty" xml:"within-date-range,omitempty"` } -type AssociatedActivity struct { - ActivityUuid string `json:"activity-uuid" yaml:"activity-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period" yaml:"period" xml:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit" yaml:"unit" xml:"unit"` } -type TaskDependency struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date" yaml:"date" xml:"date"` } -type ResponsibleRole struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids *[]string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end" yaml:"end" xml:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start" yaml:"start" xml:"start"` } -type EventTiming struct { - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty"` - OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty"` - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty"` +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` } +// A partition of an assessment plan or results or a child of another part. type AssessmentPart struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap" yaml:"import-ap" xml:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Results []AssessmentResult `json:"results" yaml:"results" xml:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty" xml:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty" xml:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Findings []Finding `json:"findings,omitempty" yaml:"findings,omitempty" xml:"findings,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this set of results. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries" yaml:"entries"` +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this event. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty" xml:"identified-subject,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid" xml:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } +// A set of textual statements, typically written by the assessor. type AttestationStatements struct { - Parts []AssessmentPart `json:"parts" yaml:"parts"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` + Parts []AssessmentPart `json:"parts" yaml:"parts" xml:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } +// Describes an individual finding. type Finding struct { - Description string `json:"description" yaml:"description"` - ImplementationStatementUuid string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Target FindingTarget `json:"target" yaml:"target"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Part struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` + // A human-readable description of this finding. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty" xml:"implementation-statement-uuid,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Target TargetClass `json:"target" yaml:"target" xml:"target"` + // The title for this finding. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid" yaml:"actor-uuid" xml:"actor-uuid"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type" yaml:"type" xml:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status" yaml:"status" xml:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id" yaml:"target-id" xml:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type" yaml:"type" xml:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State string `json:"state" yaml:"state" xml:"state"` } -type ParameterConstraint struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Tests *[]ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty"` +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *string `json:"reason,omitempty" yaml:"reason,omitempty" xml:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state" yaml:"state" xml:"state"` } -type ParameterGuideline struct { - Prose string `json:"prose" yaml:"prose"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } -type ParameterSelection struct { - Choice *[]string `json:"choice,omitempty" yaml:"choice,omitempty"` - HowMany string `json:"how-many,omitempty" yaml:"how-many,omitempty"` +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected" yaml:"collected" xml:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty" xml:"expires,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Methods []string `json:"methods" yaml:"methods" xml:"methods"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty" xml:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Types []string `json:"types,omitempty" yaml:"types,omitempty" xml:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description" yaml:"description" xml:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty" xml:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty" xml:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty" xml:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty" yaml:"remediations,omitempty" xml:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty" xml:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement" yaml:"statement" xml:"statement"` + Status string `json:"status" yaml:"status" xml:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty" xml:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets" yaml:"facets" xml:"facets"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origin FindingOrigin `json:"origin" yaml:"origin" xml:"origin"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type ControlImplementationSet struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirementControlImplementation `json:"implemented-requirements" yaml:"implemented-requirements"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Source string `json:"source" yaml:"source"` - UUID string `json:"uuid" yaml:"uuid"` +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System string `json:"system" yaml:"system" xml:"system"` + // Indicates the value of the facet. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty" xml:"implementation-uuid,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle string `json:"lifecycle" yaml:"lifecycle" xml:"lifecycle"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty" xml:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type IncorporatesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty" xml:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + StatusChange *string `json:"status-change,omitempty" yaml:"status-change,omitempty" xml:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid" yaml:"response-uuid" xml:"response-uuid"` } -type Protocol struct { - Name string `json:"name" yaml:"name"` - PortRanges *[]PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + ID string `json:"id" yaml:"id" xml:"id"` + // Specifies the source of the threat information. + System string `json:"system" yaml:"system" xml:"system"` } -type Origin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` +// A collection of controls. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + // A globally unique identifier with cross-instance scope for this catalog instance. This + // UUID should be changed when this document is revised. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A structured information object representing a security or privacy control. Each security +// or privacy control within the Catalog is defined by a distinct control instance. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + // A human-oriented, locally unique identifier with instance scope that can be used to + // reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This + // id should be assigned per-subject, which means it should be consistently used to identify + // the same control across revisions of the document. + ID string `json:"id" yaml:"id" xml:"id"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ID string `json:"id" yaml:"id" xml:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty" xml:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint + Expression string `json:"expression" yaml:"expression" xml:"expression"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } -type RelevantEvidence struct { - Description string `json:"description" yaml:"description"` - Href string `json:"href,omitempty" yaml:"href,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose" yaml:"prose" xml:"prose"` } -type SubjectReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` +// Presenting a choice among alternatives +type Selection struct { + Choice []string `json:"choice,omitempty" yaml:"choice,omitempty" xml:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty" yaml:"how-many,omitempty" xml:"how-many,omitempty"` } +// A group of controls, or of groups of controls. +type ControlGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in in this and other OSCAL instances (e.g., + // profiles). This id should be assigned per-subject, which means it should be consistently + // used to identify the same group across revisions of the document. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty" xml:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty" xml:"import-component-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component definition elsewhere in this or other OSCAL instances. The + // locally defined UUID of the component definition can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description" yaml:"description" xml:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty" xml:"incorporates-components,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this capability elsewhere in this or other OSCAL instances. The locally + // defined UUID of the capability can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source" yaml:"source" xml:"source"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a set of implemented controls elsewhere in this or other OSCAL instances. + // The locally defined UUID of the control implementation set can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A suggestion for how the specified control may be implemented if the containing component + // or capability is instantiated in a system security plan. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference a specific control implementation elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance).This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Values []string `json:"values" yaml:"values" xml:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// TBD +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href" yaml:"href" xml:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty" xml:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items" yaml:"poam-items" xml:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty" yaml:"system-id,omitempty" xml:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. type PoamItemOrigin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` } -type RelatedObservation struct { - ObservationUuid string `json:"observation-uuid" yaml:"observation-uuid"` +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` } -type AssociatedRisk struct { - RiskUuid string `json:"risk-uuid" yaml:"risk-uuid"` +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` } -type Characterization struct { - Facets []Facet `json:"facets" yaml:"facets"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origin Origin `json:"origin" yaml:"origin"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` -} - -type MitigatingFactor struct { - Description string `json:"description" yaml:"description"` - ImplementationUuid string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Response struct { - Description string `json:"description" yaml:"description"` - Lifecycle string `json:"lifecycle" yaml:"lifecycle"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RequiredAssets *[]RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type RiskLog struct { - Entries []RiskLogEntry `json:"entries" yaml:"entries"` -} - -type ThreatId struct { - Href string `json:"href,omitempty" yaml:"href,omitempty"` - ID string `json:"id" yaml:"id"` - System string `json:"system" yaml:"system"` -} - -type SelectControlById struct { - Matching *[]MatchControlsByPattern `json:"matching,omitempty" yaml:"matching,omitempty"` - WithChildControls string `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty"` - WithIds *[]string `json:"with-ids,omitempty" yaml:"with-ids,omitempty"` +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty" xml:"identifier-type,omitempty"` } +// Each OSCAL profile is defined by a Profile element +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Imports []ImportResource `json:"imports" yaml:"imports" xml:"imports"` + Merge *MergeControls `json:"merge,omitempty" yaml:"merge,omitempty" xml:"merge,omitempty"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Modify *ModifyControls `json:"modify,omitempty" yaml:"modify,omitempty" xml:"modify,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this profile elsewhere in this or other OSCAL instances. The locally defined + // UUID of the profile can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance).This identifier should be assigned per-subject, which means + // it should be consistently used to identify the same profile across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The import designates a catalog or profile to be included (referenced and potentially +// modified) by this profile. The import also identifies which controls to select using the +// include-all, include-controls, and exclude-controls directives. +type ImportResource struct { + ExcludeControls []Call `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href" yaml:"href" xml:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` +} + +// Call a control by its ID +type Call struct { + Matching []MatchControlsByPattern `json:"matching,omitempty" yaml:"matching,omitempty" xml:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty" xml:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty" yaml:"with-ids,omitempty" xml:"with-ids,omitempty"` +} + +// Select controls by (regular expression) match on ID +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty" yaml:"pattern,omitempty" xml:"pattern,omitempty"` +} + +// A Merge element provides structuring directives that drive how controls are organized +// after resolution. +type MergeControls struct { + // An As-is element indicates that the controls should be structured in resolution as they + // are structured in their source catalogs. It does not contain any elements or attributes. + AsIs *bool `json:"as-is,omitempty" yaml:"as-is,omitempty" xml:"as-is,omitempty"` + // A Combine element defines how to combine multiple (competing) versions of the same + // control. + Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty" xml:"combine,omitempty"` + // A Custom element frames a structure for embedding represented controls in resolution. + Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty" xml:"custom,omitempty"` + // Use the flat structuring method. + Flat *Flat `json:"flat,omitempty" yaml:"flat,omitempty" xml:"flat,omitempty"` +} + +// A Combine element defines how to combine multiple (competing) versions of the same +// control. type CombinationRule struct { - Method string `json:"method,omitempty" yaml:"method,omitempty"` + // How clashing controls should be handled + Method *CombinationMethod `json:"method,omitempty" yaml:"method,omitempty" xml:"method,omitempty"` } +// A Custom element frames a structure for embedding represented controls in resolution. type CustomGrouping struct { - Groups *[]ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` -} - -type Flat = map[string]interface{} - -type Alter struct { - Adds *[]Add `json:"adds,omitempty" yaml:"adds,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Removes *[]Remove `json:"removes,omitempty" yaml:"removes,omitempty"` + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined group elsewhere in this or other OSCAL instances. When referenced + // from another OSCAL instance, this identifier must be referenced in the context of the + // containing resource (e.g., import-profile). This id should be assigned per-subject, which + // means it should be consistently used to identify the same group across revisions of the + // document. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + InsertControls []SelectControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Specifies which controls to use in the containing context. +type SelectControls struct { + ExcludeControls []Call `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []Call `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty" yaml:"order,omitempty" xml:"order,omitempty"` +} + +// Use the flat structuring method. +type Flat struct { +} + +// Set parameters or amend controls in resolution +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty" yaml:"alters,omitempty" xml:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` +} + +// An Alter element specifies changes to be made to an included control when a profile is +// resolved. +type Alteration struct { + Adds []Addition `json:"adds,omitempty" yaml:"adds,omitempty" xml:"adds,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Removes []Removal `json:"removes,omitempty" yaml:"removes,omitempty" xml:"removes,omitempty"` +} + +// Specifies contents to be added into controls, in resolution +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []Part `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside it) + Position *Position `json:"position,omitempty" yaml:"position,omitempty" xml:"position,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty" yaml:"by-class,omitempty" xml:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + // Identify items to remove by the name of the item's information element name, e.g. title + // or prop + ByItemName *string `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty" xml:"by-item-name,omitempty"` + // Identify items to remove by matching their assigned name + ByName *string `json:"by-name,omitempty" yaml:"by-name,omitempty" xml:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty" yaml:"by-ns,omitempty" xml:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion +type ParameterSetting struct { + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A human-oriented, locally unique identifier with cross-instance scope that can be used to + // reference this defined parameter elsewhere in this or other OSCAL instances. When + // referenced from another OSCAL instance, this identifier must be referenced in the context + // of the containing resource (e.g., import-profile). This id should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18 +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation" yaml:"control-implementation" xml:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile" xml:"import-profile"` + Metadata PublicationMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics" xml:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation" xml:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + // A human-oriented identifier reference to a control with a corresponding id value. When + // referencing an externally defined control, the Control Identifier Reference must be used + // in the context of the external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty" yaml:"export,omitempty" xml:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty" xml:"inherited,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty" xml:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty" xml:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty" xml:"responsibilities,omitempty"` } -type ParameterSetting struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - ParamId string `json:"param-id" yaml:"param-id"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type ImplementedRequirement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]Statement `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SetParameter struct { - ParamId string `json:"param-id" yaml:"param-id"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Values []string `json:"values" yaml:"values"` +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty" xml:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary" xml:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty" xml:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty" xml:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty" xml:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level" yaml:"security-impact-level" xml:"security-impact-level"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel string `json:"security-sensitivity-level" yaml:"security-sensitivity-level" xml:"security-sensitivity-level"` + Status SystemCharacteristicsStatus `json:"status" yaml:"status" xml:"status"` + SystemIDS []SystemIdentification `json:"system-ids" yaml:"system-ids" xml:"system-ids"` + SystemInformation SystemInformation `json:"system-information" yaml:"system-information" xml:"system-information"` + // The full name of the system. + SystemName string `json:"system-name" yaml:"system-name" xml:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty" xml:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. type AuthorizationBoundary struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's authorization boundary. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty" yaml:"caption,omitempty" xml:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. type DataFlow struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's data flow. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. type NetworkArchitecture struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's network architecture. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. type SecurityImpactLevel struct { - SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability"` - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality"` - SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity"` -} - -type Status struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability" xml:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality" xml:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity" xml:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state" yaml:"state" xml:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. type SystemInformation struct { - InformationTypes []InformationType `json:"information-types" yaml:"information-types"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` -} - -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized" yaml:"date-authorized"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type UsesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` -} - -type SystemComponentStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type Base64 struct { - Filename string `json:"filename,omitempty" yaml:"filename,omitempty"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Value string `json:"value" yaml:"value"` -} - -type Citation struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Text string `json:"text" yaml:"text"` -} - -type ResourceLink struct { - Hashes *[]Hash `json:"hashes,omitempty" yaml:"hashes,omitempty"` - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` -} - -type Step struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControls `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImplementedComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` -} - -type AuthorizedPrivilege struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed"` - Title string `json:"title" yaml:"title"` -} - -type Address struct { - AddrLines *[]string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty"` - City string `json:"city,omitempty" yaml:"city,omitempty"` - Country string `json:"country,omitempty" yaml:"country,omitempty"` - PostalCode string `json:"postal-code,omitempty" yaml:"postal-code,omitempty"` - State string `json:"state,omitempty" yaml:"state,omitempty"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} - -type TelephoneNumber struct { - Number string `json:"number" yaml:"number"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} - -type PartyExternalIdentifier struct { - ID string `json:"id" yaml:"id"` - Scheme string `json:"scheme" yaml:"scheme"` -} - -type SelectObjectiveById struct { - ObjectiveId string `json:"objective-id" yaml:"objective-id"` -} - -type SelectControl struct { - ControlId string `json:"control-id" yaml:"control-id"` - StatementIds *[]string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty"` -} - -type FrequencyCondition struct { - Period int `json:"period" yaml:"period"` - Unit string `json:"unit" yaml:"unit"` -} - -type OnDateCondition struct { - Date time.Time `json:"date" yaml:"date"` -} - -type OnDateRangeCondition struct { - End time.Time `json:"end" yaml:"end"` - Start time.Time `json:"start" yaml:"start"` -} - -type AssessmentLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type FindingTarget struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Status ObjectiveStatus `json:"status" yaml:"status"` - TargetId string `json:"target-id" yaml:"target-id"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` -} - -type ConstraintTest struct { - Expression string `json:"expression" yaml:"expression"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type ImplementedRequirementControlImplementation struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PortRange struct { - End int `json:"end,omitempty" yaml:"end,omitempty"` - Start int `json:"start,omitempty" yaml:"start,omitempty"` - Transport string `json:"transport,omitempty" yaml:"transport,omitempty"` -} - -type OriginActor struct { - ActorUuid string `json:"actor-uuid" yaml:"actor-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` - Type string `json:"type" yaml:"type"` -} - -type RelatedTask struct { - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` -} - -type Facet struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - System string `json:"system" yaml:"system"` - Value string `json:"value" yaml:"value"` -} - -type RequiredAsset struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type RiskLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedResponses *[]RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - StatusChange string `json:"status-change,omitempty" yaml:"status-change,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type MatchControlsByPattern struct { - Pattern string `json:"pattern,omitempty" yaml:"pattern,omitempty"` -} - -type ControlGroup struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Groups *[]ControlGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type InsertControls struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Order string `json:"order,omitempty" yaml:"order,omitempty"` -} - -type Add struct { - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Position string `json:"position,omitempty" yaml:"position,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` -} - -type Remove struct { - ByClass string `json:"by-class,omitempty" yaml:"by-class,omitempty"` - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - ByItemName string `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty"` - ByName string `json:"by-name,omitempty" yaml:"by-name,omitempty"` - ByNs string `json:"by-ns,omitempty" yaml:"by-ns,omitempty"` -} - -type ByComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` - Export *Export `json:"export,omitempty" yaml:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Inherited *[]InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Satisfied *[]SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Statement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Diagram struct { - Caption string `json:"caption,omitempty" yaml:"caption,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` + InformationTypes []InformationType `json:"information-types" yaml:"information-types" xml:"information-types"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. type InformationType struct { - AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact" yaml:"availability-impact"` - Categorizations *[]InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty"` - ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact" yaml:"confidentiality-impact"` - Description string `json:"description" yaml:"description"` - IntegrityImpact IntegrityImpactLevel `json:"integrity-impact" yaml:"integrity-impact"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` + // The expected level of impact resulting from the disruption of access to or use of the + // described information or the information system. + AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact" yaml:"availability-impact" xml:"availability-impact"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty" xml:"categorizations,omitempty"` + // The expected level of impact resulting from the unauthorized disclosure of the described + // information. + ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact" yaml:"confidentiality-impact" xml:"confidentiality-impact"` + // A summary of how this information type is used within the system. + Description string `json:"description" yaml:"description" xml:"description"` + // The expected level of impact resulting from the unauthorized modification of the + // described information. + IntegrityImpact IntegrityImpactLevel `json:"integrity-impact" yaml:"integrity-impact" xml:"integrity-impact"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// The expected level of impact resulting from the disruption of access to or use of the +// described information or the information system. +type AvailabilityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` } -type Hash struct { - Algorithm string `json:"algorithm" yaml:"algorithm"` - Value string `json:"value" yaml:"value"` +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty" xml:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System string `json:"system" yaml:"system" xml:"system"` } -type LoggedBy struct { - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` +// The expected level of impact resulting from the unauthorized disclosure of the described +// information. +type ConfidentialityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` } -type ImplementationStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` +// The expected level of impact resulting from the unauthorized modification of the +// described information. +type IntegrityImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` } -type ObjectiveStatus struct { - Reason string `json:"reason,omitempty" yaml:"reason,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components" yaml:"components" xml:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty" xml:"leveraged-authorizations,omitempty"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users" yaml:"users" xml:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized" yaml:"date-authorized" xml:"date-authorized"` + Links []Link `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Indicates the transport type. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) -type ControlStatementImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The operational status. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) -type IdentifiedSubject struct { - SubjectPlaceholderUuid string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` -} +// A category describing the kind of party the object describes. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// Method by which a hash is derived +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) -type RiskResponseReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponseUuid string `json:"response-uuid" yaml:"response-uuid"` -} +// The unit of time for the period. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// Method by which a hash is derived +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) -type Export struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Provided *[]ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Responsibilities *[]ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty"` -} +// The kind of actor. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ActorType string + +const ( + AssessmentPlatform ActorType = "assessment-platform" + Party ActorType = "party" + Tool ActorType = "tool" +) -type InheritedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// An indication as to whether the objective is satisfied or not. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) -type SatisfiedControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibilityUuid string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Identifies the type of the target. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// Method by which a hash is derived +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) -type AvailabilityImpactLevel struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) -type InformationTypeCategorization struct { - InformationTypeIds *[]string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty"` - System string `json:"system" yaml:"system"` -} +// When a control is included, whether its child (dependent) controls are also included. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) -type ConfidentialityImpactLevel struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// How clashing controls should be handled +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// Method by which a hash is derived +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) -type IntegrityImpactLevel struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// A designation of how a selection of controls in a profile is to be ordered. +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) -type ProvidedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Where to add the new content with respect to the targeted element (beside it or inside +// it) +// +// Describes the type of relationship provided by the link. This can be an indicator of the +// link's purpose. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. This +// can be used to further distinguish or discriminate between the semantics of multiple +// properties of the same object with the same name and ns. +// +// A textual label that provides a sub-type or characterization of the control. +// +// A human-oriented, locally unique identifier with instance scope that can be used to +// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This +// id should be assigned per-subject, which means it should be consistently used to identify +// the same control across revisions of the document. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined parameter elsewhere in this or other OSCAL instances. When +// referenced from another OSCAL instance, this identifier must be referenced in the context +// of the containing resource (e.g., import-profile). This id should be assigned +// per-subject, which means it should be consistently used to identify the same subject +// across revisions of the document. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined part elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same subject across revisions of the +// document. +// +// A textual label that uniquely identifies the part's semantic type. +// +// A textual label that provides a sub-type or characterization of the group. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in in this and other OSCAL instances (e.g., +// profiles). This id should be assigned per-subject, which means it should be consistently +// used to identify the same group across revisions of the document. +// +// A human-oriented identifier reference to roles served by the user. +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined role elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL +// instance must be referenced in the context of the containing resource (e.g., import, +// import-component-definition, import-profile, import-ssp or import-ap). This ID should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// +// +// A human-oriented, locally unique identifier with cross-instance scope that can be used to +// reference this defined group elsewhere in this or other OSCAL instances. When referenced +// from another OSCAL instance, this identifier must be referenced in the context of the +// containing resource (e.g., import-profile). This id should be assigned per-subject, which +// means it should be consistently used to identify the same group across revisions of the +// document. +// +// Target location of the addition. +// +// A human-oriented identifier reference to a control with a corresponding id value. When +// referencing an externally defined control, the Control Identifier Reference must be used +// in the context of the external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items to remove by the name of the item's information element name, e.g. title +// or prop +// +// Identify items to remove by matching their assigned name +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A human-oriented identifier reference to roles responsible for the business function. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// A textual label that uniquely identifies a specific attribute, characteristic, or quality +// of the property's containing object. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) -type ControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The current operating status. +// +// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media +// Types Registry. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address +// +// State, province or analogous geographical region for mailing address +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against. +// +// A string used to distinguish the current version of the document from other previous (and +// future) versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// Method by which a hash is derived +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) diff --git a/src/types/oscal-1-1-0/types.go b/src/types/oscal-1-1-0/types.go index debd341a..77bf7291 100644 --- a/src/types/oscal-1-1-0/types.go +++ b/src/types/oscal-1-1-0/types.go @@ -1,1273 +1,3754 @@ -/* -This file was auto-generated with go-oscal. +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() -To regenerate: - - go-oscal generate \ - --input-file \ - --output-file // the path to this file must already exist \ - --tags json,yaml // the tags to add to the Go structs \ - --pkg // defaults to "main" - -For more information on how to use go-oscal: go-oscal --help - -Source: https://github.com/defenseunicorns/go-oscal -*/ package oscalTypes_1_1_0 -import ( - "time" -) - -type OscalModels = OscalCompleteSchema -type OscalCompleteSchema struct { - AssessmentPlan *AssessmentPlan `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty"` - AssessmentResults *AssessmentResults `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty"` - Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestones `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty"` - Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty"` - SystemSecurityPlan *SystemSecurityPlan `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty"` -} - -type AssessmentPlan struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty"` - AssessmentSubjects *[]AssessmentSubject `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportSsp ImportSsp `json:"import-ssp" yaml:"import-ssp"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentResults struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportAp ImportAp `json:"import-ap" yaml:"import-ap"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Results []Result `json:"results" yaml:"results"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Capabilities *[]Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty"` - Components *[]DefinedComponent `json:"components,omitempty" yaml:"components,omitempty"` - ImportComponentDefinitions *[]ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PlanOfActionAndMilestones struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Findings *[]Finding `json:"findings,omitempty" yaml:"findings,omitempty"` - ImportSsp *ImportSsp `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - PoamItems []PoamItem `json:"poam-items" yaml:"poam-items"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - SystemId *SystemId `json:"system-id,omitempty" yaml:"system-id,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Imports []Import `json:"imports" yaml:"imports"` - Merge *Merge `json:"merge,omitempty" yaml:"merge,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Modify *Modify `json:"modify,omitempty" yaml:"modify,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemSecurityPlan struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ControlImplementation ControlImplementation `json:"control-implementation" yaml:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation"` - UUID string `json:"uuid" yaml:"uuid"` -} - +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Schema *string `json:"$schema,omitempty" yaml:"$schema,omitempty" xml:"$schema,omitempty"` + Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty" xml:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty" xml:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty" xml:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty" xml:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty" xml:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty" xml:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty" xml:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty" xml:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp" yaml:"import-ssp" xml:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty" xml:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatform `json:"assessment-platforms" yaml:"assessment-platforms"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms" yaml:"assessment-platforms" xml:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty" xml:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A reference to a local or remote resource, that has a specific relation to the containing +// object. +type LinkElement struct { + // A resolvable URL reference to a resource. + Href string `json:"href" yaml:"href" xml:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + // Describes the type of relationship provided by the link's hypertext reference. This can + // be an indicator of the link's purpose. + Rel *string `json:"rel,omitempty" yaml:"rel,omitempty" xml:"rel,omitempty"` + // In case where the href points to a back-matter/resource, this value will indicate the URI + // fragment to append to any rlink associated with the resource. This value MUST be URI + // encoded. + ResourceFragment *string `json:"resource-fragment,omitempty" yaml:"resource-fragment,omitempty" xml:"resource-fragment,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty" yaml:"text,omitempty" xml:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // An identifier for relating distinct sets of properties. + Group *string `json:"group,omitempty" yaml:"group,omitempty" xml:"group,omitempty"` + // A textual label, within a namespace, that uniquely identifies a specific attribute, + // characteristic, or quality of the property's containing object. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A unique identifier for a property. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } -type AssessmentSubject struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeSubjects *[]SelectSubjectById `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeSubjects *[]SelectSubjectById `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Type string `json:"type" yaml:"type"` +// A reference to a set of persons and/or organizations that have responsibility for +// performing the referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids" yaml:"party-uuids" xml:"party-uuids"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A reference to a role performed by a party. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status" yaml:"status" xml:"status"` + // A human readable name for the system component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name" yaml:"name" xml:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty" xml:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty" yaml:"start,omitempty" xml:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty" yaml:"transport,omitempty" xml:"transport,omitempty"` } +// A reference to a role with responsibility for performing a function relative to the +// containing object, optionally associated with a set of persons and/or organizations that +// perform that role. +type ResponsibleRole struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty" xml:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human-oriented identifier reference to a role performed. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state" yaml:"state" xml:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty" xml:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty" xml:"include-subjects,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources that may be referenced from within the OSCAL document instance. type BackMatter struct { - Resources *[]Resource `json:"resources,omitempty" yaml:"resources,omitempty"` -} - -type ImportSsp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type LocalDefinitions struct { - Activities *[]Activity `json:"activities,omitempty" yaml:"activities,omitempty"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - ObjectivesAndMethods *[]LocalObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users *[]SystemUser `json:"users,omitempty" yaml:"users,omitempty"` -} - -type Metadata struct { - Actions *[]Action `json:"actions,omitempty" yaml:"actions,omitempty"` - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified" yaml:"last-modified"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Locations *[]Location `json:"locations,omitempty" yaml:"locations,omitempty"` - OscalVersion string `json:"oscal-version" yaml:"oscal-version"` - Parties *[]Party `json:"parties,omitempty" yaml:"parties,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Revisions *[]RevisionHistoryEntry `json:"revisions,omitempty" yaml:"revisions,omitempty"` - Roles *[]Role `json:"roles,omitempty" yaml:"roles,omitempty"` - Title string `json:"title" yaml:"title"` - Version string `json:"version" yaml:"version"` -} - -type ReviewedControls struct { - ControlObjectiveSelections *[]ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Task struct { - AssociatedActivities *[]AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty"` - Dependencies *[]TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentPlanTermsAndConditions struct { - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` -} - -type ImportAp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Result struct { - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty"` - Attestations *[]AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty"` - Description string `json:"description" yaml:"description"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Findings *[]Finding `json:"findings,omitempty" yaml:"findings,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Control struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type Group struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` + Resources []Resource `json:"resources,omitempty" yaml:"resources,omitempty" xml:"resources,omitempty"` } -type Parameter struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - ID string `json:"id" yaml:"id"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type Capability struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - IncorporatesComponents *[]IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DefinedComponent struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImportComponentDefinition struct { - Href string `json:"href" yaml:"href"` -} - -type Finding struct { - Description string `json:"description" yaml:"description"` - ImplementationStatementUuid string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Target FindingTarget `json:"target" yaml:"target"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PlanOfActionAndMilestonesLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A resource associated with content in the containing document instance. A resource may be +// directly included in the document using base64 encoding or may point to one or more +// equivalent internet resources. +type Resource struct { + // A resource encoded using the Base64 alphabet defined by RFC 2045. + Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty" xml:"base64,omitempty"` + // An optional citation consisting of end note text using structured markup. + Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty" xml:"citation,omitempty"` + // An optional short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty" xml:"rlinks,omitempty"` + // An optional name given to the resource, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A unique identifier for a resource. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A resource encoded using the Base64 alphabet defined by RFC 2045. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty" yaml:"filename,omitempty" xml:"filename,omitempty"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + Value string `json:"value" yaml:"value" xml:"value"` } -type Observation struct { - Collected time.Time `json:"collected" yaml:"collected"` - Description string `json:"description" yaml:"description"` - Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Methods []string `json:"methods" yaml:"methods"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelevantEvidence *[]RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Types *[]string `json:"types,omitempty" yaml:"types,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PoamItem struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedFindings *[]RelatedFinding `json:"related-findings,omitempty" yaml:"related-findings,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} - -type Risk struct { - Characterizations *[]Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty"` - Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - MitigatingFactors *[]MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - Remediations *[]Response `json:"remediations,omitempty" yaml:"remediations,omitempty"` - RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty"` - Statement string `json:"statement" yaml:"statement"` - Status string `json:"status" yaml:"status"` - ThreatIds *[]ThreatId `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemId struct { - ID string `json:"id" yaml:"id"` - IdentifierType string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty"` -} - -type Import struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - Href string `json:"href" yaml:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` -} - -type Merge struct { - AsIs bool `json:"as-is,omitempty" yaml:"as-is,omitempty"` - Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty"` - Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty"` - Flat *FlatWithoutGrouping `json:"flat,omitempty" yaml:"flat,omitempty"` -} - -type Modify struct { - Alters *[]Alteration `json:"alters,omitempty" yaml:"alters,omitempty"` - SetParameters *[]ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` -} - -type ControlImplementation struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirement `json:"implemented-requirements" yaml:"implemented-requirements"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` +// An optional citation consisting of end note text using structured markup. +type Citation struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A line of citation text. + Text string `json:"text" yaml:"text" xml:"text"` } -type ImportProfile struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A document identifier qualified by an identifier scheme. +type DocumentIdentifier struct { + Identifier string `json:"identifier" yaml:"identifier" xml:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *string `json:"scheme,omitempty" yaml:"scheme,omitempty" xml:"scheme,omitempty"` } -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty"` - DateAuthorized string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty" yaml:"security-impact-level,omitempty"` - SecuritySensitivityLevel string `json:"security-sensitivity-level,omitempty" yaml:"security-sensitivity-level,omitempty"` - Status Status `json:"status" yaml:"status"` - SystemIds []SystemId `json:"system-ids" yaml:"system-ids"` - SystemInformation SystemInformation `json:"system-information" yaml:"system-information"` - SystemName string `json:"system-name" yaml:"system-name"` - SystemNameShort string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty"` +// A URL-based pointer to an external resource with an optional hash for verification and +// change detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty" yaml:"hashes,omitempty" xml:"hashes,omitempty"` + // A resolvable URL pointing to the referenced resource. + Href string `json:"href" yaml:"href" xml:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` } -type SystemImplementation struct { - Components []SystemComponent `json:"components" yaml:"components"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - LeveragedAuthorizations *[]LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users []SystemUser `json:"users" yaml:"users"` -} - -type AssessmentPlatform struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UsesComponents *[]UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemComponent struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Status SystemComponentStatus `json:"status" yaml:"status"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SelectSubjectById struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Type string `json:"type" yaml:"type"` -} - -type IncludeAll = map[string]interface{} - -type Link struct { - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Rel string `json:"rel,omitempty" yaml:"rel,omitempty"` - ResourceFragment string `json:"resource-fragment,omitempty" yaml:"resource-fragment,omitempty"` - Text string `json:"text,omitempty" yaml:"text,omitempty"` +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // The digest method by which a hash is derived. + Algorithm string `json:"algorithm" yaml:"algorithm" xml:"algorithm"` + Value string `json:"value" yaml:"value" xml:"value"` } -type Property struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Group string `json:"group,omitempty" yaml:"group,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` - Value string `json:"value" yaml:"value"` +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } -type Resource struct { - Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty"` - Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Rlinks *[]ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. type Activity struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedControls *ReviewedControls `json:"related-controls,omitempty" yaml:"related-controls,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Steps *[]Step `json:"steps,omitempty" yaml:"steps,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - + // A human-readable description of this included activity. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty" yaml:"related-controls,omitempty" xml:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty" yaml:"steps,omitempty" xml:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty" xml:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections" xml:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty" xml:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty" xml:"include-objectives,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id" yaml:"objective-id" xml:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeControls []ControlSelectionExcludeControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []ControlSelectionExcludeControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type ControlSelectionExcludeControl struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty" xml:"statement-ids,omitempty"` +} + +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty" xml:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A single managed inventory item within the system. type InventoryItem struct { - Description string `json:"description" yaml:"description"` - ImplementedComponents *[]ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type LocalObjective struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Parts []Part `json:"parts" yaml:"parts"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty" xml:"implemented-components,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Parts []PartElement `json:"parts" yaml:"parts" xml:"parts"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// An annotated, markup-based textual element of a control's or catalog group's definition, +// or a child of another part. +type PartElement struct { + // An optional textual providing a sub-type or characterization of the part's name, or a + // category to which the part belongs. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // A unique identifier for the part. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type, which exists in a + // value space qualified by the ns. + Name string `json:"name" yaml:"name" xml:"name"` + // An optional namespace qualifying the part's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // An optional name given to the part, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. type SystemUser struct { - AuthorizedPrivileges *[]AuthorizedPrivilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleIds *[]string `json:"role-ids,omitempty" yaml:"role-ids,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty" xml:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty" yaml:"role-ids,omitempty" xml:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed" xml:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Provides information about the containing document, and defines concepts that are shared +// across the document. +type DocumentMetadata struct { + Actions []Action `json:"actions,omitempty" yaml:"actions,omitempty" xml:"actions,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified" yaml:"last-modified" xml:"last-modified"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Locations []Location `json:"locations,omitempty" yaml:"locations,omitempty" xml:"locations,omitempty"` + OscalVersion string `json:"oscal-version" yaml:"oscal-version" xml:"oscal-version"` + Parties []PartyElement `json:"parties,omitempty" yaml:"parties,omitempty" xml:"parties,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty" yaml:"revisions,omitempty" xml:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty" yaml:"roles,omitempty" xml:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// An action applied by a role within a given party to the content. type Action struct { - Date *time.Time `json:"date,omitempty" yaml:"date,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - System string `json:"system" yaml:"system"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DocumentId struct { - Identifier string `json:"identifier" yaml:"identifier"` - Scheme string `json:"scheme,omitempty" yaml:"scheme,omitempty"` -} - + // The date and time when the action occurred. + Date *time.Time `json:"date,omitempty" yaml:"date,omitempty" xml:"date,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + // Specifies the action type system used. + System string `json:"system" yaml:"system" xml:"system"` + // The type of action documented by the assembly, such as an approval. + Type string `json:"type" yaml:"type" xml:"type"` + // A unique identifier that can be used to reference this defined action elsewhere in an + // OSCAL document. A UUID should be consistently used for a given location across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A physical point of presence, which may be associated with people, organizations, or +// other concepts within the current or linked OSCAL document. type Location struct { - Address *Address `json:"address,omitempty" yaml:"address,omitempty"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Urls *[]string `json:"urls,omitempty" yaml:"urls,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Party struct { - Addresses *[]Address `json:"addresses,omitempty" yaml:"addresses,omitempty"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - ExternalIds *[]PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocationUuids *[]string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty"` - MemberOfOrganizations *[]string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty"` - Name string `json:"name,omitempty" yaml:"name,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ResponsibleParty struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids []string `json:"party-uuids" yaml:"party-uuids"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` + Address *Address `json:"address,omitempty" yaml:"address,omitempty" xml:"address,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Urls []string `json:"urls,omitempty" yaml:"urls,omitempty" xml:"urls,omitempty"` + // A unique ID for the location, for reference. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty" xml:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty" yaml:"city,omitempty" xml:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty" yaml:"country,omitempty" xml:"country,omitempty"` + // Postal or ZIP code for mailing address. + PostalCode *string `json:"postal-code,omitempty" yaml:"postal-code,omitempty" xml:"postal-code,omitempty"` + // State, province or analogous geographical region for a mailing address. + State *string `json:"state,omitempty" yaml:"state,omitempty" xml:"state,omitempty"` + // Indicates the type of address. + Type *string `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// A telephone service number as defined by ITU-T E.164. +type TelephoneNumber struct { + Number string `json:"number" yaml:"number" xml:"number"` + // Indicates the type of phone number. + Type *string `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// An organization or person, which may be associated with roles or other concepts within +// the current or linked OSCAL document. +type PartyElement struct { + Addresses []Address `json:"addresses,omitempty" yaml:"addresses,omitempty" xml:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty" xml:"external-ids,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty" xml:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty" xml:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty" yaml:"name,omitempty" xml:"name,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type" yaml:"type" xml:"type"` + // A unique identifier for the party. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID). +type PartyExternalIdentifier struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Indicates the type of external identifier. + Scheme string `json:"scheme" yaml:"scheme" xml:"scheme"` } +// An entry in a sequential list of revisions to the containing document, expected to be in +// reverse chronological order (i.e. latest first). type RevisionHistoryEntry struct { - LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - OscalVersion string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Version string `json:"version" yaml:"version"` -} - + LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty" xml:"last-modified,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty" xml:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// Defines a function, which might be assigned to a party in a specific situation. type Role struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type ReferencedControlObjectives struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeObjectives *[]SelectObjectiveById `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeObjectives *[]SelectObjectiveById `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type AssessedControls struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeControls *[]AssessedControlsSelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]AssessedControlsSelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // A unique identifier for the role. + ID string `json:"id" yaml:"id" xml:"id"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty" xml:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty" xml:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty" xml:"timing,omitempty"` + // The title for this task. + Title string `json:"title" yaml:"title" xml:"title"` + // The type of task. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. type AssociatedActivity struct { - ActivityUuid string `json:"activity-uuid" yaml:"activity-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid" yaml:"activity-uuid" xml:"activity-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } +// Used to indicate that a task is dependent on another task. type TaskDependency struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` -} - -type ResponsibleRole struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids *[]string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` } +// The timing under which the task is intended to occur. type EventTiming struct { - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty"` - OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty"` - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty"` + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty" xml:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty" xml:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty" xml:"within-date-range,omitempty"` } -type AssessmentPart struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period" yaml:"period" xml:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit" yaml:"unit" xml:"unit"` } -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries" yaml:"entries"` +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date" yaml:"date" xml:"date"` } -type AttestationStatements struct { - Parts []AssessmentPart `json:"parts" yaml:"parts"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end" yaml:"end" xml:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start" yaml:"start" xml:"start"` } -type Part struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` } -type ParameterConstraint struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Tests *[]ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty"` +// A partition of an assessment plan or results or a child of another part. +type AssessmentPart struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap" yaml:"import-ap" xml:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Results []AssessmentResult `json:"results" yaml:"results" xml:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty" xml:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty" xml:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Findings []Finding `json:"findings,omitempty" yaml:"findings,omitempty" xml:"findings,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this set of results. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type ParameterGuideline struct { - Prose string `json:"prose" yaml:"prose"` +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this event. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty" xml:"identified-subject,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid" xml:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } -type ParameterSelection struct { - Choice *[]string `json:"choice,omitempty" yaml:"choice,omitempty"` - HowMany string `json:"how-many,omitempty" yaml:"how-many,omitempty"` +// A set of textual statements, typically written by the assessor. +type AttestationStatements struct { + Parts []AssessmentPart `json:"parts" yaml:"parts" xml:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } -type ControlImplementationSet struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirementControlImplementation `json:"implemented-requirements" yaml:"implemented-requirements"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Source string `json:"source" yaml:"source"` - UUID string `json:"uuid" yaml:"uuid"` +// Describes an individual finding. +type Finding struct { + // A human-readable description of this finding. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty" xml:"implementation-statement-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Target TargetClass `json:"target" yaml:"target" xml:"target"` + // The title for this finding. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid" yaml:"actor-uuid" xml:"actor-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type" yaml:"type" xml:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status" yaml:"status" xml:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id" yaml:"target-id" xml:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type" yaml:"type" xml:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State string `json:"state" yaml:"state" xml:"state"` } -type IncorporatesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *string `json:"reason,omitempty" yaml:"reason,omitempty" xml:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state" yaml:"state" xml:"state"` } -type Protocol struct { - Name string `json:"name" yaml:"name"` - PortRanges *[]PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } -type Origin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected" yaml:"collected" xml:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty" xml:"expires,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Methods []string `json:"methods" yaml:"methods" xml:"methods"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty" xml:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Types []string `json:"types,omitempty" yaml:"types,omitempty" xml:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description" yaml:"description" xml:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty" xml:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty" xml:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty" xml:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty" yaml:"remediations,omitempty" xml:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty" xml:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement" yaml:"statement" xml:"statement"` + Status string `json:"status" yaml:"status" xml:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty" xml:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets" yaml:"facets" xml:"facets"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origin FindingOrigin `json:"origin" yaml:"origin" xml:"origin"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type RelatedObservation struct { - ObservationUuid string `json:"observation-uuid" yaml:"observation-uuid"` +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System string `json:"system" yaml:"system" xml:"system"` + // Indicates the value of the facet. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty" xml:"implementation-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle string `json:"lifecycle" yaml:"lifecycle" xml:"lifecycle"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty" xml:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type AssociatedRisk struct { - RiskUuid string `json:"risk-uuid" yaml:"risk-uuid"` +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty" xml:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + StatusChange *string `json:"status-change,omitempty" yaml:"status-change,omitempty" xml:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid" yaml:"response-uuid" xml:"response-uuid"` } -type FindingTarget struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Status ObjectiveStatus `json:"status" yaml:"status"` - TargetId string `json:"target-id" yaml:"target-id"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + ID string `json:"id" yaml:"id" xml:"id"` + // Specifies the source of the threat information. + System string `json:"system" yaml:"system" xml:"system"` } -type RelevantEvidence struct { - Description string `json:"description" yaml:"description"` - Href string `json:"href,omitempty" yaml:"href,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A structured, organized collection of control information. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + // Provides a globally unique means to identify a given catalog instance. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` } -type SubjectReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` +// A structured object representing a requirement or guideline, which when implemented will +// reduce an aspect of risk related to an information system and its information. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + // Identifies a control such that it can be referenced in the defining catalog and other + // OSCAL instances (e.g., profiles). + ID string `json:"id" yaml:"id" xml:"id"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the type, purpose, use or scope of + // the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // (deprecated) Another parameter invoking this one. This construct has been deprecated and + // should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A unique identifier for the parameter. + ID string `json:"id" yaml:"id" xml:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test. +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty" xml:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint. + Expression string `json:"expression" yaml:"expression" xml:"expression"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose" yaml:"prose" xml:"prose"` +} + +// Presenting a choice among alternatives. +type Selection struct { + Choice []string `json:"choice,omitempty" yaml:"choice,omitempty" xml:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty" yaml:"how-many,omitempty" xml:"how-many,omitempty"` +} + +// A group of controls, or of groups of controls. +type CatalogGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // Identifies the group for the purpose of cross-linking within the defining instance or + // from other instances that reference the catalog. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty" xml:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty" xml:"import-component-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + // Provides a globally unique means to identify a given component definition instance. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` } +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description" yaml:"description" xml:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty" xml:"incorporates-components,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Provides a globally unique means to identify a given capability. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source" yaml:"source" xml:"source"` + // Provides a means to identify a set of control implementations that are supported by a + // given component or capability. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A suggestion from the supplier (e.g., component vendor or author) for how the specified + // control may be implemented if the containing component or capability is instantiated in a + // system security plan. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // Provides a globally unique means to identify a given control implementation by a + // component. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Values []string `json:"values" yaml:"values" xml:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The collection of components comprising this capability. +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type string `json:"type" yaml:"type" xml:"type"` + // Provides a globally unique means to identify a given component. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href" yaml:"href" xml:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Findings []Finding `json:"findings,omitempty" yaml:"findings,omitempty" xml:"findings,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty" xml:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items" yaml:"poam-items" xml:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty" yaml:"system-id,omitempty" xml:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedFindings []RelatedFinding `json:"related-findings,omitempty" yaml:"related-findings,omitempty" xml:"related-findings,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. type PoamItemOrigin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` } +// Relates the poam-item to referenced finding(s). type RelatedFinding struct { - FindingUuid string `json:"finding-uuid" yaml:"finding-uuid"` + // A machine-oriented identifier reference to a finding defined in the list of findings. + FindingUUID string `json:"finding-uuid" yaml:"finding-uuid" xml:"finding-uuid"` } -type Characterization struct { - Facets []Facet `json:"facets" yaml:"facets"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origin Origin `json:"origin" yaml:"origin"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` } -type MitigatingFactor struct { - Description string `json:"description" yaml:"description"` - ImplementationUuid string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Response struct { - Description string `json:"description" yaml:"description"` - Lifecycle string `json:"lifecycle" yaml:"lifecycle"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RequiredAssets *[]RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` } -type RiskLog struct { - Entries []RiskLogEntry `json:"entries" yaml:"entries"` +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty" xml:"identifier-type,omitempty"` } -type ThreatId struct { - Href string `json:"href,omitempty" yaml:"href,omitempty"` - ID string `json:"id" yaml:"id"` - System string `json:"system" yaml:"system"` +// Each OSCAL profile is defined by a profile element. +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Imports []ImportResource `json:"imports" yaml:"imports" xml:"imports"` + Merge *MergeControls `json:"merge,omitempty" yaml:"merge,omitempty" xml:"merge,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Modify *ModifyControls `json:"modify,omitempty" yaml:"modify,omitempty" xml:"modify,omitempty"` + // Provides a globally unique means to identify a given profile instance. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Designates a referenced source catalog or profile that provides a source of control +// information for use in creating a new overlay or baseline. +type ImportResource struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href" yaml:"href" xml:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` +} + +// Select a control or controls from an imported control set. +type ImportExcludeControl struct { + Matching []MatchControlsByPattern `json:"matching,omitempty" yaml:"matching,omitempty" xml:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty" xml:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty" yaml:"with-ids,omitempty" xml:"with-ids,omitempty"` +} + +// Selecting a set of controls by matching their IDs with a wildcard pattern. +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty" yaml:"pattern,omitempty" xml:"pattern,omitempty"` +} + +// Provides structuring directives that instruct how controls are organized after profile +// resolution. +type MergeControls struct { + // Indicates that the controls selected should retain their original grouping as defined in + // the import source. + AsIs *bool `json:"as-is,omitempty" yaml:"as-is,omitempty" xml:"as-is,omitempty"` + // A Combine element defines how to resolve duplicate instances of the same control (e.g., + // controls with the same ID). + Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty" xml:"combine,omitempty"` + // Provides an alternate grouping structure that selected controls will be placed in. + Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty" xml:"custom,omitempty"` + // Directs that controls appear without any grouping structure. + Flat *FlatWithoutGrouping `json:"flat,omitempty" yaml:"flat,omitempty" xml:"flat,omitempty"` +} + +// A Combine element defines how to resolve duplicate instances of the same control (e.g., +// controls with the same ID). +type CombinationRule struct { + // Declare how clashing controls should be handled. + Method *CombinationMethod `json:"method,omitempty" yaml:"method,omitempty" xml:"method,omitempty"` } -type SelectControlById struct { - Matching *[]Matching `json:"matching,omitempty" yaml:"matching,omitempty"` - WithChildControls string `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty"` - WithIds *[]string `json:"with-ids,omitempty" yaml:"with-ids,omitempty"` +// Provides an alternate grouping structure that selected controls will be placed in. +type CustomGrouping struct { + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls. +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // Identifies the group. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name to be given to the group for use in display. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Specifies which controls to use in the containing context. +type InsertControls struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty" yaml:"order,omitempty" xml:"order,omitempty"` } -type CombinationRule struct { - Method string `json:"method,omitempty" yaml:"method,omitempty"` +// Directs that controls appear without any grouping structure. +type FlatWithoutGrouping struct { } -type CustomGrouping struct { - Groups *[]CustomGroupingGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` +// Set parameters or amend controls in resolution. +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty" yaml:"alters,omitempty" xml:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` } -type FlatWithoutGrouping = map[string]interface{} - +// Specifies changes to be made to an included control when a profile is resolved. type Alteration struct { - Adds *[]Addition `json:"adds,omitempty" yaml:"adds,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Removes *[]Removal `json:"removes,omitempty" yaml:"removes,omitempty"` + Adds []Addition `json:"adds,omitempty" yaml:"adds,omitempty" xml:"adds,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Removes []Removal `json:"removes,omitempty" yaml:"removes,omitempty" xml:"removes,omitempty"` } +// Specifies contents to be added into controls, in resolution. +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside + // it). + Position *Position `json:"position,omitempty" yaml:"position,omitempty" xml:"position,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty" yaml:"by-class,omitempty" xml:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + // Identify items to remove by the name of the item's information object name, e.g. title or + // prop. + ByItemName *ItemNameReference `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty" xml:"by-item-name,omitempty"` + // Identify items remove by matching their assigned name. + ByName *string `json:"by-name,omitempty" yaml:"by-name,omitempty" xml:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty" yaml:"by-ns,omitempty" xml:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion. type ParameterSetting struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - ParamId string `json:"param-id" yaml:"param-id"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type ImplementedRequirement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]Statement `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SetParameter struct { - ParamId string `json:"param-id" yaml:"param-id"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Values []string `json:"values" yaml:"values"` + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // An identifier for the parameter. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18. +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation" yaml:"control-implementation" xml:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile" xml:"import-profile"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics" xml:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation" xml:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty" yaml:"export,omitempty" xml:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty" xml:"inherited,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty" xml:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty" xml:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty" xml:"responsibilities,omitempty"` +} + +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty" xml:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary" xml:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty" xml:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty" xml:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty" xml:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty" yaml:"security-impact-level,omitempty" xml:"security-impact-level,omitempty"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel *string `json:"security-sensitivity-level,omitempty" yaml:"security-sensitivity-level,omitempty" xml:"security-sensitivity-level,omitempty"` + Status SystemCharacteristicsStatus `json:"status" yaml:"status" xml:"status"` + SystemIDS []SystemIdentification `json:"system-ids" yaml:"system-ids" xml:"system-ids"` + SystemInformation SystemInformation `json:"system-information" yaml:"system-information" xml:"system-information"` + // The full name of the system. + SystemName string `json:"system-name" yaml:"system-name" xml:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty" xml:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. type AuthorizationBoundary struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's authorization boundary. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty" yaml:"caption,omitempty" xml:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. type DataFlow struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's data flow. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. type NetworkArchitecture struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's network architecture. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. type SecurityImpactLevel struct { - SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability"` - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality"` - SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity"` -} - -type Status struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability" xml:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality" xml:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity" xml:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state" yaml:"state" xml:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. type SystemInformation struct { - InformationTypes []InformationType `json:"information-types" yaml:"information-types"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` -} - -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized" yaml:"date-authorized"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type UsesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` -} - -type SystemComponentStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type Base64 struct { - Filename string `json:"filename,omitempty" yaml:"filename,omitempty"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Value string `json:"value" yaml:"value"` -} - -type Citation struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Text string `json:"text" yaml:"text"` -} - -type ResourceLink struct { - Hashes *[]Hash `json:"hashes,omitempty" yaml:"hashes,omitempty"` - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` -} - -type Step struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControls `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImplementedComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` -} - -type AuthorizedPrivilege struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed"` - Title string `json:"title" yaml:"title"` -} - -type Address struct { - AddrLines *[]string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty"` - City string `json:"city,omitempty" yaml:"city,omitempty"` - Country string `json:"country,omitempty" yaml:"country,omitempty"` - PostalCode string `json:"postal-code,omitempty" yaml:"postal-code,omitempty"` - State string `json:"state,omitempty" yaml:"state,omitempty"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} - -type TelephoneNumber struct { - Number string `json:"number" yaml:"number"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} - -type PartyExternalIdentifier struct { - ID string `json:"id" yaml:"id"` - Scheme string `json:"scheme" yaml:"scheme"` -} - -type SelectObjectiveById struct { - ObjectiveId string `json:"objective-id" yaml:"objective-id"` -} - -type AssessedControlsSelectControlById struct { - ControlId string `json:"control-id" yaml:"control-id"` - StatementIds *[]string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty"` -} - -type FrequencyCondition struct { - Period int `json:"period" yaml:"period"` - Unit string `json:"unit" yaml:"unit"` -} - -type OnDateCondition struct { - Date time.Time `json:"date" yaml:"date"` -} - -type OnDateRangeCondition struct { - End time.Time `json:"end" yaml:"end"` - Start time.Time `json:"start" yaml:"start"` -} - -type AssessmentLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ConstraintTest struct { - Expression string `json:"expression" yaml:"expression"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type ImplementedRequirementControlImplementation struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PortRange struct { - End int `json:"end,omitempty" yaml:"end,omitempty"` - Start int `json:"start,omitempty" yaml:"start,omitempty"` - Transport string `json:"transport,omitempty" yaml:"transport,omitempty"` -} - -type OriginActor struct { - ActorUuid string `json:"actor-uuid" yaml:"actor-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` - Type string `json:"type" yaml:"type"` -} - -type RelatedTask struct { - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` -} - -type ImplementationStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type ObjectiveStatus struct { - Reason string `json:"reason,omitempty" yaml:"reason,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type Facet struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - System string `json:"system" yaml:"system"` - Value string `json:"value" yaml:"value"` -} - -type RequiredAsset struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type RiskLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedResponses *[]RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - StatusChange string `json:"status-change,omitempty" yaml:"status-change,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Matching struct { - Pattern string `json:"pattern,omitempty" yaml:"pattern,omitempty"` -} - -type CustomGroupingGroup struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Groups *[]CustomGroupingGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type InsertControls struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Order string `json:"order,omitempty" yaml:"order,omitempty"` + InformationTypes []InformationType `json:"information-types" yaml:"information-types" xml:"information-types"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type Addition struct { - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Position string `json:"position,omitempty" yaml:"position,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` -} - -type Removal struct { - ByClass string `json:"by-class,omitempty" yaml:"by-class,omitempty"` - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - ByItemName string `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty"` - ByName string `json:"by-name,omitempty" yaml:"by-name,omitempty"` - ByNs string `json:"by-ns,omitempty" yaml:"by-ns,omitempty"` -} - -type ByComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` - Export *Export `json:"export,omitempty" yaml:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Inherited *[]InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Satisfied *[]SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Statement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + AvailabilityImpact *ImpactLevel `json:"availability-impact,omitempty" yaml:"availability-impact,omitempty" xml:"availability-impact,omitempty"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty" xml:"categorizations,omitempty"` + ConfidentialityImpact *ImpactLevel `json:"confidentiality-impact,omitempty" yaml:"confidentiality-impact,omitempty" xml:"confidentiality-impact,omitempty"` + // A summary of how this information type is used within the system. + Description string `json:"description" yaml:"description" xml:"description"` + IntegrityImpact *ImpactLevel `json:"integrity-impact,omitempty" yaml:"integrity-impact,omitempty" xml:"integrity-impact,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// The expected level of impact resulting from the described information. +type ImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` +} + +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty" xml:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System string `json:"system" yaml:"system" xml:"system"` } -type Diagram struct { - Caption string `json:"caption,omitempty" yaml:"caption,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components" yaml:"components" xml:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty" xml:"leveraged-authorizations,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users" yaml:"users" xml:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized" yaml:"date-authorized" xml:"date-authorized"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Indicates the transport type. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) -type InformationType struct { - AvailabilityImpact *Impact `json:"availability-impact,omitempty" yaml:"availability-impact,omitempty"` - Categorizations *[]InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty"` - ConfidentialityImpact *Impact `json:"confidentiality-impact,omitempty" yaml:"confidentiality-impact,omitempty"` - Description string `json:"description" yaml:"description"` - IntegrityImpact *Impact `json:"integrity-impact,omitempty" yaml:"integrity-impact,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} +// The operational status. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) -type Hash struct { - Algorithm string `json:"algorithm" yaml:"algorithm"` - Value string `json:"value" yaml:"value"` -} +// A category describing the kind of party the object describes. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) -type LoggedBy struct { - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` -} +// The unit of time for the period. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) -type ControlStatementImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The kind of actor. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ActorType string + +const ( + AssessmentPlatform ActorType = "assessment-platform" + Party ActorType = "party" + Tool ActorType = "tool" +) -type IdentifiedSubject struct { - SubjectPlaceholderUuid string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` -} +// An indication as to whether the objective is satisfied or not. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) -type RiskResponseReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponseUuid string `json:"response-uuid" yaml:"response-uuid"` -} +// Identifies the type of the target. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) -type Export struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Provided *[]ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Responsibilities *[]ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty"` -} +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) -type InheritedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// When a control is included, whether its child (dependent) controls are also included. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) -type SatisfiedControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibilityUuid string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Declare how clashing controls should be handled. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) -type Impact struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// A designation of how a selection of controls in a profile is to be ordered. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) -type InformationTypeCategorization struct { - InformationTypeIds *[]string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty"` - System string `json:"system" yaml:"system"` -} +// Where to add the new content with respect to the targeted element (beside it or inside +// it). +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) -type ProvidedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Identify items to remove by the name of the item's information object name, e.g. title or +// prop. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ItemNameReference string + +const ( + Link ItemNameReference = "link" + Map ItemNameReference = "map" + Mapping ItemNameReference = "mapping" + Param ItemNameReference = "param" + Part ItemNameReference = "part" + Prop ItemNameReference = "prop" +) -type ControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The current operating status. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) diff --git a/src/types/oscal-1-1-1/types.go b/src/types/oscal-1-1-1/types.go index b5f68716..d0ccf549 100644 --- a/src/types/oscal-1-1-1/types.go +++ b/src/types/oscal-1-1-1/types.go @@ -1,1273 +1,3754 @@ -/* -This file was auto-generated with go-oscal. +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() -To regenerate: - - go-oscal generate \ - --input-file \ - --output-file // the path to this file must already exist \ - --tags json,yaml // the tags to add to the Go structs \ - --pkg // defaults to "main" - -For more information on how to use go-oscal: go-oscal --help - -Source: https://github.com/defenseunicorns/go-oscal -*/ package oscalTypes_1_1_1 -import ( - "time" -) - -type OscalModels = OscalCompleteSchema -type OscalCompleteSchema struct { - AssessmentPlan *AssessmentPlan `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty"` - AssessmentResults *AssessmentResults `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty"` - Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestones `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty"` - Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty"` - SystemSecurityPlan *SystemSecurityPlan `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty"` -} - -type AssessmentPlan struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty"` - AssessmentSubjects *[]AssessmentSubject `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportSsp ImportSsp `json:"import-ssp" yaml:"import-ssp"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentResults struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportAp ImportAp `json:"import-ap" yaml:"import-ap"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Results []Result `json:"results" yaml:"results"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Capabilities *[]Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty"` - Components *[]DefinedComponent `json:"components,omitempty" yaml:"components,omitempty"` - ImportComponentDefinitions *[]ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PlanOfActionAndMilestones struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Findings *[]Finding `json:"findings,omitempty" yaml:"findings,omitempty"` - ImportSsp *ImportSsp `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - PoamItems []PoamItem `json:"poam-items" yaml:"poam-items"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - SystemId *SystemId `json:"system-id,omitempty" yaml:"system-id,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Imports []Import `json:"imports" yaml:"imports"` - Merge *Merge `json:"merge,omitempty" yaml:"merge,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Modify *Modify `json:"modify,omitempty" yaml:"modify,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemSecurityPlan struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ControlImplementation ControlImplementation `json:"control-implementation" yaml:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation"` - UUID string `json:"uuid" yaml:"uuid"` -} - +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Schema *string `json:"$schema,omitempty" yaml:"$schema,omitempty" xml:"$schema,omitempty"` + Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty" xml:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty" xml:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty" xml:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty" xml:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty" xml:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty" xml:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty" xml:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty" xml:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp" yaml:"import-ssp" xml:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty" xml:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatform `json:"assessment-platforms" yaml:"assessment-platforms"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms" yaml:"assessment-platforms" xml:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty" xml:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A reference to a local or remote resource, that has a specific relation to the containing +// object. +type LinkElement struct { + // A resolvable URL reference to a resource. + Href string `json:"href" yaml:"href" xml:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + // Describes the type of relationship provided by the link's hypertext reference. This can + // be an indicator of the link's purpose. + Rel *string `json:"rel,omitempty" yaml:"rel,omitempty" xml:"rel,omitempty"` + // In case where the href points to a back-matter/resource, this value will indicate the URI + // fragment to append to any rlink associated with the resource. This value MUST be URI + // encoded. + ResourceFragment *string `json:"resource-fragment,omitempty" yaml:"resource-fragment,omitempty" xml:"resource-fragment,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty" yaml:"text,omitempty" xml:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // An identifier for relating distinct sets of properties. + Group *string `json:"group,omitempty" yaml:"group,omitempty" xml:"group,omitempty"` + // A textual label, within a namespace, that uniquely identifies a specific attribute, + // characteristic, or quality of the property's containing object. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A unique identifier for a property. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } -type AssessmentSubject struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeSubjects *[]SelectSubjectById `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeSubjects *[]SelectSubjectById `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Type string `json:"type" yaml:"type"` +// A reference to a set of persons and/or organizations that have responsibility for +// performing the referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids" yaml:"party-uuids" xml:"party-uuids"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A reference to a role performed by a party. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status" yaml:"status" xml:"status"` + // A human readable name for the system component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name" yaml:"name" xml:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty" xml:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty" yaml:"start,omitempty" xml:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty" yaml:"transport,omitempty" xml:"transport,omitempty"` } +// A reference to a role with responsibility for performing a function relative to the +// containing object, optionally associated with a set of persons and/or organizations that +// perform that role. +type ResponsibleRole struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty" xml:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human-oriented identifier reference to a role performed. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state" yaml:"state" xml:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty" xml:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty" xml:"include-subjects,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources that may be referenced from within the OSCAL document instance. type BackMatter struct { - Resources *[]Resource `json:"resources,omitempty" yaml:"resources,omitempty"` -} - -type ImportSsp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type LocalDefinitions struct { - Activities *[]Activity `json:"activities,omitempty" yaml:"activities,omitempty"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - ObjectivesAndMethods *[]LocalObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users *[]SystemUser `json:"users,omitempty" yaml:"users,omitempty"` -} - -type Metadata struct { - Actions *[]Action `json:"actions,omitempty" yaml:"actions,omitempty"` - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified" yaml:"last-modified"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Locations *[]Location `json:"locations,omitempty" yaml:"locations,omitempty"` - OscalVersion string `json:"oscal-version" yaml:"oscal-version"` - Parties *[]Party `json:"parties,omitempty" yaml:"parties,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Revisions *[]RevisionHistoryEntry `json:"revisions,omitempty" yaml:"revisions,omitempty"` - Roles *[]Role `json:"roles,omitempty" yaml:"roles,omitempty"` - Title string `json:"title" yaml:"title"` - Version string `json:"version" yaml:"version"` -} - -type ReviewedControls struct { - ControlObjectiveSelections *[]ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Task struct { - AssociatedActivities *[]AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty"` - Dependencies *[]TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentPlanTermsAndConditions struct { - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` -} - -type ImportAp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Result struct { - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty"` - Attestations *[]AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty"` - Description string `json:"description" yaml:"description"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Findings *[]Finding `json:"findings,omitempty" yaml:"findings,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Control struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type Group struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` + Resources []Resource `json:"resources,omitempty" yaml:"resources,omitempty" xml:"resources,omitempty"` } -type Parameter struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - ID string `json:"id" yaml:"id"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type Capability struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - IncorporatesComponents *[]IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DefinedComponent struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImportComponentDefinition struct { - Href string `json:"href" yaml:"href"` -} - -type Finding struct { - Description string `json:"description" yaml:"description"` - ImplementationStatementUuid string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Target FindingTarget `json:"target" yaml:"target"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PlanOfActionAndMilestonesLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A resource associated with content in the containing document instance. A resource may be +// directly included in the document using base64 encoding or may point to one or more +// equivalent internet resources. +type Resource struct { + // A resource encoded using the Base64 alphabet defined by RFC 2045. + Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty" xml:"base64,omitempty"` + // An optional citation consisting of end note text using structured markup. + Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty" xml:"citation,omitempty"` + // An optional short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty" xml:"rlinks,omitempty"` + // An optional name given to the resource, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A unique identifier for a resource. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A resource encoded using the Base64 alphabet defined by RFC 2045. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty" yaml:"filename,omitempty" xml:"filename,omitempty"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + Value string `json:"value" yaml:"value" xml:"value"` } -type Observation struct { - Collected time.Time `json:"collected" yaml:"collected"` - Description string `json:"description" yaml:"description"` - Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Methods []string `json:"methods" yaml:"methods"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelevantEvidence *[]RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Types *[]string `json:"types,omitempty" yaml:"types,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PoamItem struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedFindings *[]RelatedFinding `json:"related-findings,omitempty" yaml:"related-findings,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} - -type Risk struct { - Characterizations *[]Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty"` - Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - MitigatingFactors *[]MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - Remediations *[]Response `json:"remediations,omitempty" yaml:"remediations,omitempty"` - RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty"` - Statement string `json:"statement" yaml:"statement"` - Status string `json:"status" yaml:"status"` - ThreatIds *[]ThreatId `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemId struct { - ID string `json:"id" yaml:"id"` - IdentifierType string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty"` -} - -type Import struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - Href string `json:"href" yaml:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` -} - -type Merge struct { - AsIs bool `json:"as-is,omitempty" yaml:"as-is,omitempty"` - Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty"` - Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty"` - Flat *FlatWithoutGrouping `json:"flat,omitempty" yaml:"flat,omitempty"` -} - -type Modify struct { - Alters *[]Alteration `json:"alters,omitempty" yaml:"alters,omitempty"` - SetParameters *[]ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` -} - -type ControlImplementation struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirement `json:"implemented-requirements" yaml:"implemented-requirements"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` +// An optional citation consisting of end note text using structured markup. +type Citation struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A line of citation text. + Text string `json:"text" yaml:"text" xml:"text"` } -type ImportProfile struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A document identifier qualified by an identifier scheme. +type DocumentIdentifier struct { + Identifier string `json:"identifier" yaml:"identifier" xml:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *string `json:"scheme,omitempty" yaml:"scheme,omitempty" xml:"scheme,omitempty"` } -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty"` - DateAuthorized string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty" yaml:"security-impact-level,omitempty"` - SecuritySensitivityLevel string `json:"security-sensitivity-level,omitempty" yaml:"security-sensitivity-level,omitempty"` - Status Status `json:"status" yaml:"status"` - SystemIds []SystemId `json:"system-ids" yaml:"system-ids"` - SystemInformation SystemInformation `json:"system-information" yaml:"system-information"` - SystemName string `json:"system-name" yaml:"system-name"` - SystemNameShort string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty"` +// A URL-based pointer to an external resource with an optional hash for verification and +// change detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty" yaml:"hashes,omitempty" xml:"hashes,omitempty"` + // A resolvable URL pointing to the referenced resource. + Href string `json:"href" yaml:"href" xml:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` } -type SystemImplementation struct { - Components []SystemComponent `json:"components" yaml:"components"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - LeveragedAuthorizations *[]LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users []SystemUser `json:"users" yaml:"users"` -} - -type AssessmentPlatform struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UsesComponents *[]UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemComponent struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Status SystemComponentStatus `json:"status" yaml:"status"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SelectSubjectById struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Type string `json:"type" yaml:"type"` -} - -type IncludeAll = map[string]interface{} - -type Link struct { - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Rel string `json:"rel,omitempty" yaml:"rel,omitempty"` - ResourceFragment string `json:"resource-fragment,omitempty" yaml:"resource-fragment,omitempty"` - Text string `json:"text,omitempty" yaml:"text,omitempty"` +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // The digest method by which a hash is derived. + Algorithm string `json:"algorithm" yaml:"algorithm" xml:"algorithm"` + Value string `json:"value" yaml:"value" xml:"value"` } -type Property struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Group string `json:"group,omitempty" yaml:"group,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` - Value string `json:"value" yaml:"value"` +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } -type Resource struct { - Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty"` - Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Rlinks *[]ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. type Activity struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedControls *ReviewedControls `json:"related-controls,omitempty" yaml:"related-controls,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Steps *[]Step `json:"steps,omitempty" yaml:"steps,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - + // A human-readable description of this included activity. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty" yaml:"related-controls,omitempty" xml:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty" yaml:"steps,omitempty" xml:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty" xml:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections" xml:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty" xml:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty" xml:"include-objectives,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id" yaml:"objective-id" xml:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeControls []ControlSelectionExcludeControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []ControlSelectionExcludeControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type ControlSelectionExcludeControl struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty" xml:"statement-ids,omitempty"` +} + +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty" xml:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A single managed inventory item within the system. type InventoryItem struct { - Description string `json:"description" yaml:"description"` - ImplementedComponents *[]ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type LocalObjective struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Parts []Part `json:"parts" yaml:"parts"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty" xml:"implemented-components,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Parts []PartElement `json:"parts" yaml:"parts" xml:"parts"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// An annotated, markup-based textual element of a control's or catalog group's definition, +// or a child of another part. +type PartElement struct { + // An optional textual providing a sub-type or characterization of the part's name, or a + // category to which the part belongs. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // A unique identifier for the part. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type, which exists in a + // value space qualified by the ns. + Name string `json:"name" yaml:"name" xml:"name"` + // An optional namespace qualifying the part's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // An optional name given to the part, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. type SystemUser struct { - AuthorizedPrivileges *[]AuthorizedPrivilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleIds *[]string `json:"role-ids,omitempty" yaml:"role-ids,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty" xml:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty" yaml:"role-ids,omitempty" xml:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed" xml:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Provides information about the containing document, and defines concepts that are shared +// across the document. +type DocumentMetadata struct { + Actions []Action `json:"actions,omitempty" yaml:"actions,omitempty" xml:"actions,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified" yaml:"last-modified" xml:"last-modified"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Locations []Location `json:"locations,omitempty" yaml:"locations,omitempty" xml:"locations,omitempty"` + OscalVersion string `json:"oscal-version" yaml:"oscal-version" xml:"oscal-version"` + Parties []PartyElement `json:"parties,omitempty" yaml:"parties,omitempty" xml:"parties,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty" yaml:"revisions,omitempty" xml:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty" yaml:"roles,omitempty" xml:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// An action applied by a role within a given party to the content. type Action struct { - Date *time.Time `json:"date,omitempty" yaml:"date,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - System string `json:"system" yaml:"system"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DocumentId struct { - Identifier string `json:"identifier" yaml:"identifier"` - Scheme string `json:"scheme,omitempty" yaml:"scheme,omitempty"` -} - + // The date and time when the action occurred. + Date *time.Time `json:"date,omitempty" yaml:"date,omitempty" xml:"date,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + // Specifies the action type system used. + System string `json:"system" yaml:"system" xml:"system"` + // The type of action documented by the assembly, such as an approval. + Type string `json:"type" yaml:"type" xml:"type"` + // A unique identifier that can be used to reference this defined action elsewhere in an + // OSCAL document. A UUID should be consistently used for a given location across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A physical point of presence, which may be associated with people, organizations, or +// other concepts within the current or linked OSCAL document. type Location struct { - Address *Address `json:"address,omitempty" yaml:"address,omitempty"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Urls *[]string `json:"urls,omitempty" yaml:"urls,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Party struct { - Addresses *[]Address `json:"addresses,omitempty" yaml:"addresses,omitempty"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - ExternalIds *[]PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocationUuids *[]string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty"` - MemberOfOrganizations *[]string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty"` - Name string `json:"name,omitempty" yaml:"name,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ResponsibleParty struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids []string `json:"party-uuids" yaml:"party-uuids"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` + Address *Address `json:"address,omitempty" yaml:"address,omitempty" xml:"address,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Urls []string `json:"urls,omitempty" yaml:"urls,omitempty" xml:"urls,omitempty"` + // A unique ID for the location, for reference. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty" xml:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty" yaml:"city,omitempty" xml:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty" yaml:"country,omitempty" xml:"country,omitempty"` + // Postal or ZIP code for mailing address. + PostalCode *string `json:"postal-code,omitempty" yaml:"postal-code,omitempty" xml:"postal-code,omitempty"` + // State, province or analogous geographical region for a mailing address. + State *string `json:"state,omitempty" yaml:"state,omitempty" xml:"state,omitempty"` + // Indicates the type of address. + Type *string `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// A telephone service number as defined by ITU-T E.164. +type TelephoneNumber struct { + Number string `json:"number" yaml:"number" xml:"number"` + // Indicates the type of phone number. + Type *string `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// An organization or person, which may be associated with roles or other concepts within +// the current or linked OSCAL document. +type PartyElement struct { + Addresses []Address `json:"addresses,omitempty" yaml:"addresses,omitempty" xml:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty" xml:"external-ids,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty" xml:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty" xml:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty" yaml:"name,omitempty" xml:"name,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type" yaml:"type" xml:"type"` + // A unique identifier for the party. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID). +type PartyExternalIdentifier struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Indicates the type of external identifier. + Scheme string `json:"scheme" yaml:"scheme" xml:"scheme"` } +// An entry in a sequential list of revisions to the containing document, expected to be in +// reverse chronological order (i.e. latest first). type RevisionHistoryEntry struct { - LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - OscalVersion string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Version string `json:"version" yaml:"version"` -} - + LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty" xml:"last-modified,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty" xml:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// Defines a function, which might be assigned to a party in a specific situation. type Role struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type ReferencedControlObjectives struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeObjectives *[]SelectObjectiveById `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeObjectives *[]SelectObjectiveById `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type AssessedControls struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeControls *[]AssessedControlsSelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]AssessedControlsSelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // A unique identifier for the role. + ID string `json:"id" yaml:"id" xml:"id"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty" xml:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty" xml:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty" xml:"timing,omitempty"` + // The title for this task. + Title string `json:"title" yaml:"title" xml:"title"` + // The type of task. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. type AssociatedActivity struct { - ActivityUuid string `json:"activity-uuid" yaml:"activity-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid" yaml:"activity-uuid" xml:"activity-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } +// Used to indicate that a task is dependent on another task. type TaskDependency struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` -} - -type ResponsibleRole struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids *[]string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` } +// The timing under which the task is intended to occur. type EventTiming struct { - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty"` - OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty"` - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty"` + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty" xml:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty" xml:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty" xml:"within-date-range,omitempty"` } -type AssessmentPart struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period" yaml:"period" xml:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit" yaml:"unit" xml:"unit"` } -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries" yaml:"entries"` +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date" yaml:"date" xml:"date"` } -type AttestationStatements struct { - Parts []AssessmentPart `json:"parts" yaml:"parts"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end" yaml:"end" xml:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start" yaml:"start" xml:"start"` } -type Part struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` } -type ParameterConstraint struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Tests *[]ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty"` +// A partition of an assessment plan or results or a child of another part. +type AssessmentPart struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap" yaml:"import-ap" xml:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Results []AssessmentResult `json:"results" yaml:"results" xml:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty" xml:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty" xml:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Findings []Finding `json:"findings,omitempty" yaml:"findings,omitempty" xml:"findings,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this set of results. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type ParameterGuideline struct { - Prose string `json:"prose" yaml:"prose"` +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this event. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty" xml:"identified-subject,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid" xml:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } -type ParameterSelection struct { - Choice *[]string `json:"choice,omitempty" yaml:"choice,omitempty"` - HowMany string `json:"how-many,omitempty" yaml:"how-many,omitempty"` +// A set of textual statements, typically written by the assessor. +type AttestationStatements struct { + Parts []AssessmentPart `json:"parts" yaml:"parts" xml:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } -type ControlImplementationSet struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirementControlImplementation `json:"implemented-requirements" yaml:"implemented-requirements"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Source string `json:"source" yaml:"source"` - UUID string `json:"uuid" yaml:"uuid"` +// Describes an individual finding. +type Finding struct { + // A human-readable description of this finding. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty" xml:"implementation-statement-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Target TargetClass `json:"target" yaml:"target" xml:"target"` + // The title for this finding. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid" yaml:"actor-uuid" xml:"actor-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type" yaml:"type" xml:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status" yaml:"status" xml:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id" yaml:"target-id" xml:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type" yaml:"type" xml:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State string `json:"state" yaml:"state" xml:"state"` } -type IncorporatesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *string `json:"reason,omitempty" yaml:"reason,omitempty" xml:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state" yaml:"state" xml:"state"` } -type Protocol struct { - Name string `json:"name" yaml:"name"` - PortRanges *[]PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } -type Origin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected" yaml:"collected" xml:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty" xml:"expires,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Methods []string `json:"methods" yaml:"methods" xml:"methods"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty" xml:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Types []string `json:"types,omitempty" yaml:"types,omitempty" xml:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description" yaml:"description" xml:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty" xml:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty" xml:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty" xml:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty" yaml:"remediations,omitempty" xml:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty" xml:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement" yaml:"statement" xml:"statement"` + Status string `json:"status" yaml:"status" xml:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty" xml:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets" yaml:"facets" xml:"facets"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origin FindingOrigin `json:"origin" yaml:"origin" xml:"origin"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type RelatedObservation struct { - ObservationUuid string `json:"observation-uuid" yaml:"observation-uuid"` +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System string `json:"system" yaml:"system" xml:"system"` + // Indicates the value of the facet. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty" xml:"implementation-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle string `json:"lifecycle" yaml:"lifecycle" xml:"lifecycle"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty" xml:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type AssociatedRisk struct { - RiskUuid string `json:"risk-uuid" yaml:"risk-uuid"` +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty" xml:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + StatusChange *string `json:"status-change,omitempty" yaml:"status-change,omitempty" xml:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid" yaml:"response-uuid" xml:"response-uuid"` } -type FindingTarget struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Status ObjectiveStatus `json:"status" yaml:"status"` - TargetId string `json:"target-id" yaml:"target-id"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + ID string `json:"id" yaml:"id" xml:"id"` + // Specifies the source of the threat information. + System string `json:"system" yaml:"system" xml:"system"` } -type RelevantEvidence struct { - Description string `json:"description" yaml:"description"` - Href string `json:"href,omitempty" yaml:"href,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A structured, organized collection of control information. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + // Provides a globally unique means to identify a given catalog instance. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` } -type SubjectReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` +// A structured object representing a requirement or guideline, which when implemented will +// reduce an aspect of risk related to an information system and its information. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + // Identifies a control such that it can be referenced in the defining catalog and other + // OSCAL instances (e.g., profiles). + ID string `json:"id" yaml:"id" xml:"id"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the type, purpose, use or scope of + // the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // (deprecated) Another parameter invoking this one. This construct has been deprecated and + // should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A unique identifier for the parameter. + ID string `json:"id" yaml:"id" xml:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test. +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty" xml:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint. + Expression string `json:"expression" yaml:"expression" xml:"expression"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose" yaml:"prose" xml:"prose"` +} + +// Presenting a choice among alternatives. +type Selection struct { + Choice []string `json:"choice,omitempty" yaml:"choice,omitempty" xml:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty" yaml:"how-many,omitempty" xml:"how-many,omitempty"` +} + +// A group of controls, or of groups of controls. +type CatalogGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // Identifies the group for the purpose of cross-linking within the defining instance or + // from other instances that reference the catalog. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty" xml:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty" xml:"import-component-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + // Provides a globally unique means to identify a given component definition instance. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` } +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description" yaml:"description" xml:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty" xml:"incorporates-components,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Provides a globally unique means to identify a given capability. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source" yaml:"source" xml:"source"` + // Provides a means to identify a set of control implementations that are supported by a + // given component or capability. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A suggestion from the supplier (e.g., component vendor or author) for how the specified + // control may be implemented if the containing component or capability is instantiated in a + // system security plan. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // Provides a globally unique means to identify a given control implementation by a + // component. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Values []string `json:"values" yaml:"values" xml:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The collection of components comprising this capability. +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type string `json:"type" yaml:"type" xml:"type"` + // Provides a globally unique means to identify a given component. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href" yaml:"href" xml:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Findings []Finding `json:"findings,omitempty" yaml:"findings,omitempty" xml:"findings,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty" xml:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items" yaml:"poam-items" xml:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty" yaml:"system-id,omitempty" xml:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedFindings []RelatedFinding `json:"related-findings,omitempty" yaml:"related-findings,omitempty" xml:"related-findings,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. type PoamItemOrigin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` } +// Relates the poam-item to referenced finding(s). type RelatedFinding struct { - FindingUuid string `json:"finding-uuid" yaml:"finding-uuid"` + // A machine-oriented identifier reference to a finding defined in the list of findings. + FindingUUID string `json:"finding-uuid" yaml:"finding-uuid" xml:"finding-uuid"` } -type Characterization struct { - Facets []Facet `json:"facets" yaml:"facets"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origin Origin `json:"origin" yaml:"origin"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` } -type MitigatingFactor struct { - Description string `json:"description" yaml:"description"` - ImplementationUuid string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Response struct { - Description string `json:"description" yaml:"description"` - Lifecycle string `json:"lifecycle" yaml:"lifecycle"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RequiredAssets *[]RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` } -type RiskLog struct { - Entries []RiskLogEntry `json:"entries" yaml:"entries"` +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty" xml:"identifier-type,omitempty"` } -type ThreatId struct { - Href string `json:"href,omitempty" yaml:"href,omitempty"` - ID string `json:"id" yaml:"id"` - System string `json:"system" yaml:"system"` +// Each OSCAL profile is defined by a profile element. +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Imports []ImportResource `json:"imports" yaml:"imports" xml:"imports"` + Merge *MergeControls `json:"merge,omitempty" yaml:"merge,omitempty" xml:"merge,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Modify *ModifyControls `json:"modify,omitempty" yaml:"modify,omitempty" xml:"modify,omitempty"` + // Provides a globally unique means to identify a given profile instance. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Designates a referenced source catalog or profile that provides a source of control +// information for use in creating a new overlay or baseline. +type ImportResource struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href" yaml:"href" xml:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` +} + +// Select a control or controls from an imported control set. +type ImportExcludeControl struct { + Matching []MatchControlsByPattern `json:"matching,omitempty" yaml:"matching,omitempty" xml:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty" xml:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty" yaml:"with-ids,omitempty" xml:"with-ids,omitempty"` +} + +// Selecting a set of controls by matching their IDs with a wildcard pattern. +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty" yaml:"pattern,omitempty" xml:"pattern,omitempty"` +} + +// Provides structuring directives that instruct how controls are organized after profile +// resolution. +type MergeControls struct { + // Indicates that the controls selected should retain their original grouping as defined in + // the import source. + AsIs *bool `json:"as-is,omitempty" yaml:"as-is,omitempty" xml:"as-is,omitempty"` + // A Combine element defines how to resolve duplicate instances of the same control (e.g., + // controls with the same ID). + Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty" xml:"combine,omitempty"` + // Provides an alternate grouping structure that selected controls will be placed in. + Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty" xml:"custom,omitempty"` + // Directs that controls appear without any grouping structure. + Flat *FlatWithoutGrouping `json:"flat,omitempty" yaml:"flat,omitempty" xml:"flat,omitempty"` +} + +// A Combine element defines how to resolve duplicate instances of the same control (e.g., +// controls with the same ID). +type CombinationRule struct { + // Declare how clashing controls should be handled. + Method *CombinationMethod `json:"method,omitempty" yaml:"method,omitempty" xml:"method,omitempty"` } -type SelectControlById struct { - Matching *[]Matching `json:"matching,omitempty" yaml:"matching,omitempty"` - WithChildControls string `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty"` - WithIds *[]string `json:"with-ids,omitempty" yaml:"with-ids,omitempty"` +// Provides an alternate grouping structure that selected controls will be placed in. +type CustomGrouping struct { + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls. +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // Identifies the group. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name to be given to the group for use in display. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Specifies which controls to use in the containing context. +type InsertControls struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty" yaml:"order,omitempty" xml:"order,omitempty"` } -type CombinationRule struct { - Method string `json:"method,omitempty" yaml:"method,omitempty"` +// Directs that controls appear without any grouping structure. +type FlatWithoutGrouping struct { } -type CustomGrouping struct { - Groups *[]CustomGroupingGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` +// Set parameters or amend controls in resolution. +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty" yaml:"alters,omitempty" xml:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` } -type FlatWithoutGrouping = map[string]interface{} - +// Specifies changes to be made to an included control when a profile is resolved. type Alteration struct { - Adds *[]Addition `json:"adds,omitempty" yaml:"adds,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Removes *[]Removal `json:"removes,omitempty" yaml:"removes,omitempty"` + Adds []Addition `json:"adds,omitempty" yaml:"adds,omitempty" xml:"adds,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Removes []Removal `json:"removes,omitempty" yaml:"removes,omitempty" xml:"removes,omitempty"` } +// Specifies contents to be added into controls, in resolution. +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside + // it). + Position *Position `json:"position,omitempty" yaml:"position,omitempty" xml:"position,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty" yaml:"by-class,omitempty" xml:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + // Identify items to remove by the name of the item's information object name, e.g. title or + // prop. + ByItemName *ItemNameReference `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty" xml:"by-item-name,omitempty"` + // Identify items remove by matching their assigned name. + ByName *string `json:"by-name,omitempty" yaml:"by-name,omitempty" xml:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty" yaml:"by-ns,omitempty" xml:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion. type ParameterSetting struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - ParamId string `json:"param-id" yaml:"param-id"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type ImplementedRequirement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]Statement `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SetParameter struct { - ParamId string `json:"param-id" yaml:"param-id"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Values []string `json:"values" yaml:"values"` + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // An identifier for the parameter. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18. +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation" yaml:"control-implementation" xml:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile" xml:"import-profile"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics" xml:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation" xml:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty" yaml:"export,omitempty" xml:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty" xml:"inherited,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty" xml:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty" xml:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty" xml:"responsibilities,omitempty"` +} + +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty" xml:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary" xml:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty" xml:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty" xml:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty" xml:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty" yaml:"security-impact-level,omitempty" xml:"security-impact-level,omitempty"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel *string `json:"security-sensitivity-level,omitempty" yaml:"security-sensitivity-level,omitempty" xml:"security-sensitivity-level,omitempty"` + Status SystemCharacteristicsStatus `json:"status" yaml:"status" xml:"status"` + SystemIDS []SystemIdentification `json:"system-ids" yaml:"system-ids" xml:"system-ids"` + SystemInformation SystemInformation `json:"system-information" yaml:"system-information" xml:"system-information"` + // The full name of the system. + SystemName string `json:"system-name" yaml:"system-name" xml:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty" xml:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. type AuthorizationBoundary struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's authorization boundary. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty" yaml:"caption,omitempty" xml:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. type DataFlow struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's data flow. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. type NetworkArchitecture struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's network architecture. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. type SecurityImpactLevel struct { - SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability"` - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality"` - SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity"` -} - -type Status struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability" xml:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality" xml:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity" xml:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state" yaml:"state" xml:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. type SystemInformation struct { - InformationTypes []InformationType `json:"information-types" yaml:"information-types"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` -} - -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized" yaml:"date-authorized"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type UsesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` -} - -type SystemComponentStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type Base64 struct { - Filename string `json:"filename,omitempty" yaml:"filename,omitempty"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Value string `json:"value" yaml:"value"` -} - -type Citation struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Text string `json:"text" yaml:"text"` -} - -type ResourceLink struct { - Hashes *[]Hash `json:"hashes,omitempty" yaml:"hashes,omitempty"` - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` -} - -type Step struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControls `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImplementedComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` -} - -type AuthorizedPrivilege struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed"` - Title string `json:"title" yaml:"title"` -} - -type Address struct { - AddrLines *[]string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty"` - City string `json:"city,omitempty" yaml:"city,omitempty"` - Country string `json:"country,omitempty" yaml:"country,omitempty"` - PostalCode string `json:"postal-code,omitempty" yaml:"postal-code,omitempty"` - State string `json:"state,omitempty" yaml:"state,omitempty"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} - -type TelephoneNumber struct { - Number string `json:"number" yaml:"number"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} - -type PartyExternalIdentifier struct { - ID string `json:"id" yaml:"id"` - Scheme string `json:"scheme" yaml:"scheme"` -} - -type SelectObjectiveById struct { - ObjectiveId string `json:"objective-id" yaml:"objective-id"` -} - -type AssessedControlsSelectControlById struct { - ControlId string `json:"control-id" yaml:"control-id"` - StatementIds *[]string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty"` -} - -type FrequencyCondition struct { - Period int `json:"period" yaml:"period"` - Unit string `json:"unit" yaml:"unit"` -} - -type OnDateCondition struct { - Date time.Time `json:"date" yaml:"date"` -} - -type OnDateRangeCondition struct { - End time.Time `json:"end" yaml:"end"` - Start time.Time `json:"start" yaml:"start"` -} - -type AssessmentLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ConstraintTest struct { - Expression string `json:"expression" yaml:"expression"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type ImplementedRequirementControlImplementation struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PortRange struct { - End int `json:"end,omitempty" yaml:"end,omitempty"` - Start int `json:"start,omitempty" yaml:"start,omitempty"` - Transport string `json:"transport,omitempty" yaml:"transport,omitempty"` -} - -type OriginActor struct { - ActorUuid string `json:"actor-uuid" yaml:"actor-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` - Type string `json:"type" yaml:"type"` -} - -type RelatedTask struct { - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` -} - -type ImplementationStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type ObjectiveStatus struct { - Reason string `json:"reason,omitempty" yaml:"reason,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type Facet struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - System string `json:"system" yaml:"system"` - Value string `json:"value" yaml:"value"` -} - -type RequiredAsset struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type RiskLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedResponses *[]RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - StatusChange string `json:"status-change,omitempty" yaml:"status-change,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Matching struct { - Pattern string `json:"pattern,omitempty" yaml:"pattern,omitempty"` -} - -type CustomGroupingGroup struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Groups *[]CustomGroupingGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type InsertControls struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Order string `json:"order,omitempty" yaml:"order,omitempty"` + InformationTypes []InformationType `json:"information-types" yaml:"information-types" xml:"information-types"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type Addition struct { - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Position string `json:"position,omitempty" yaml:"position,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` -} - -type Removal struct { - ByClass string `json:"by-class,omitempty" yaml:"by-class,omitempty"` - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - ByItemName string `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty"` - ByName string `json:"by-name,omitempty" yaml:"by-name,omitempty"` - ByNs string `json:"by-ns,omitempty" yaml:"by-ns,omitempty"` -} - -type ByComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` - Export *Export `json:"export,omitempty" yaml:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Inherited *[]InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Satisfied *[]SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Statement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + AvailabilityImpact *ImpactLevel `json:"availability-impact,omitempty" yaml:"availability-impact,omitempty" xml:"availability-impact,omitempty"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty" xml:"categorizations,omitempty"` + ConfidentialityImpact *ImpactLevel `json:"confidentiality-impact,omitempty" yaml:"confidentiality-impact,omitempty" xml:"confidentiality-impact,omitempty"` + // A summary of how this information type is used within the system. + Description string `json:"description" yaml:"description" xml:"description"` + IntegrityImpact *ImpactLevel `json:"integrity-impact,omitempty" yaml:"integrity-impact,omitempty" xml:"integrity-impact,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// The expected level of impact resulting from the described information. +type ImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` +} + +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty" xml:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System string `json:"system" yaml:"system" xml:"system"` } -type Diagram struct { - Caption string `json:"caption,omitempty" yaml:"caption,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components" yaml:"components" xml:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty" xml:"leveraged-authorizations,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users" yaml:"users" xml:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized" yaml:"date-authorized" xml:"date-authorized"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Indicates the transport type. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) -type InformationType struct { - AvailabilityImpact *Impact `json:"availability-impact,omitempty" yaml:"availability-impact,omitempty"` - Categorizations *[]InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty"` - ConfidentialityImpact *Impact `json:"confidentiality-impact,omitempty" yaml:"confidentiality-impact,omitempty"` - Description string `json:"description" yaml:"description"` - IntegrityImpact *Impact `json:"integrity-impact,omitempty" yaml:"integrity-impact,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} +// The operational status. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) -type Hash struct { - Algorithm string `json:"algorithm" yaml:"algorithm"` - Value string `json:"value" yaml:"value"` -} +// A category describing the kind of party the object describes. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) -type LoggedBy struct { - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` -} +// The unit of time for the period. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) -type ControlStatementImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The kind of actor. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ActorType string + +const ( + AssessmentPlatform ActorType = "assessment-platform" + Party ActorType = "party" + Tool ActorType = "tool" +) -type IdentifiedSubject struct { - SubjectPlaceholderUuid string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` -} +// An indication as to whether the objective is satisfied or not. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) -type RiskResponseReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponseUuid string `json:"response-uuid" yaml:"response-uuid"` -} +// Identifies the type of the target. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) -type Export struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Provided *[]ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Responsibilities *[]ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty"` -} +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) -type InheritedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// When a control is included, whether its child (dependent) controls are also included. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) -type SatisfiedControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibilityUuid string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Declare how clashing controls should be handled. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) -type Impact struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// A designation of how a selection of controls in a profile is to be ordered. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) -type InformationTypeCategorization struct { - InformationTypeIds *[]string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty"` - System string `json:"system" yaml:"system"` -} +// Where to add the new content with respect to the targeted element (beside it or inside +// it). +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) -type ProvidedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Identify items to remove by the name of the item's information object name, e.g. title or +// prop. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ItemNameReference string + +const ( + Link ItemNameReference = "link" + Map ItemNameReference = "map" + Mapping ItemNameReference = "mapping" + Param ItemNameReference = "param" + Part ItemNameReference = "part" + Prop ItemNameReference = "prop" +) -type ControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The current operating status. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) diff --git a/src/types/oscal-1-1-2/types.go b/src/types/oscal-1-1-2/types.go index 0a142c14..fe95d490 100644 --- a/src/types/oscal-1-1-2/types.go +++ b/src/types/oscal-1-1-2/types.go @@ -1,1273 +1,3754 @@ -/* -This file was auto-generated with go-oscal. +// This file was generated from JSON Schema using quicktype, do not modify it directly. +// To parse and unparse this JSON data, add this code to your project and do: +// +// oscalModels, err := UnmarshalOscalModels(bytes) +// bytes, err = oscalModels.Marshal() -To regenerate: - - go-oscal generate \ - --input-file \ - --output-file // the path to this file must already exist \ - --tags json,yaml // the tags to add to the Go structs \ - --pkg // defaults to "main" - -For more information on how to use go-oscal: go-oscal --help - -Source: https://github.com/defenseunicorns/go-oscal -*/ package oscalTypes_1_1_2 -import ( - "time" -) - -type OscalModels = OscalCompleteSchema -type OscalCompleteSchema struct { - AssessmentPlan *AssessmentPlan `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty"` - AssessmentResults *AssessmentResults `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty"` - Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestones `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty"` - Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty"` - SystemSecurityPlan *SystemSecurityPlan `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty"` -} - -type AssessmentPlan struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty"` - AssessmentSubjects *[]AssessmentSubject `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportSsp ImportSsp `json:"import-ssp" yaml:"import-ssp"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentResults struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ImportAp ImportAp `json:"import-ap" yaml:"import-ap"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Results []Result `json:"results" yaml:"results"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Capabilities *[]Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty"` - Components *[]DefinedComponent `json:"components,omitempty" yaml:"components,omitempty"` - ImportComponentDefinitions *[]ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PlanOfActionAndMilestones struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Findings *[]Finding `json:"findings,omitempty" yaml:"findings,omitempty"` - ImportSsp *ImportSsp `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - PoamItems []PoamItem `json:"poam-items" yaml:"poam-items"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - SystemId *SystemId `json:"system-id,omitempty" yaml:"system-id,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - Imports []Import `json:"imports" yaml:"imports"` - Merge *Merge `json:"merge,omitempty" yaml:"merge,omitempty"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - Modify *Modify `json:"modify,omitempty" yaml:"modify,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemSecurityPlan struct { - BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty"` - ControlImplementation ControlImplementation `json:"control-implementation" yaml:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile"` - Metadata Metadata `json:"metadata" yaml:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation"` - UUID string `json:"uuid" yaml:"uuid"` -} - +import "time" + +import "encoding/json" + +func UnmarshalOscalModels(data []byte) (OscalModels, error) { + var r OscalModels + err := json.Unmarshal(data, &r) + return r, err +} + +func (r *OscalModels) Marshal() ([]byte, error) { + return json.Marshal(r) +} + +type OscalModels struct { + Schema *string `json:"$schema,omitempty" yaml:"$schema,omitempty" xml:"$schema,omitempty"` + Catalog *Catalog `json:"catalog,omitempty" yaml:"catalog,omitempty" xml:"catalog,omitempty"` + Profile *Profile `json:"profile,omitempty" yaml:"profile,omitempty" xml:"profile,omitempty"` + ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty" yaml:"component-definition,omitempty" xml:"component-definition,omitempty"` + SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty" yaml:"system-security-plan,omitempty" xml:"system-security-plan,omitempty"` + AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty" yaml:"assessment-plan,omitempty" xml:"assessment-plan,omitempty"` + AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty" yaml:"assessment-results,omitempty" xml:"assessment-results,omitempty"` + PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty" yaml:"plan-of-action-and-milestones,omitempty" xml:"plan-of-action-and-milestones,omitempty"` +} + +// An assessment plan, such as those provided by a FedRAMP assessor. +type SecurityAssessmentPlanSAP struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty" yaml:"assessment-subjects,omitempty" xml:"assessment-subjects,omitempty"` + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportSSP ImportSystemSecurityPlan `json:"import-ssp" yaml:"import-ssp" xml:"import-ssp"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // Used to define various terms and conditions under which an assessment, described by the + // plan, can be performed. Each child part defines a different type of term or condition. + TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty" yaml:"terms-and-conditions,omitempty" xml:"terms-and-conditions,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment plan in this or other OSCAL instances. The locally defined + // UUID of the assessment plan can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the assets used to perform this assessment, such as the assessment team, +// scanning tools, and assumptions. type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatform `json:"assessment-platforms" yaml:"assessment-platforms"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` + AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms" yaml:"assessment-platforms" xml:"assessment-platforms"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` +} + +// Used to represent the toolset used to perform aspects of the assessment. +type AssessmentPlatformElement struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for the assessment platform. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + UsesComponents []UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty" xml:"uses-components,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment platform elsewhere in this or other OSCAL instances. The + // locally defined UUID of the assessment platform can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A reference to a local or remote resource, that has a specific relation to the containing +// object. +type LinkElement struct { + // A resolvable URL reference to a resource. + Href string `json:"href" yaml:"href" xml:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + // Describes the type of relationship provided by the link's hypertext reference. This can + // be an indicator of the link's purpose. + Rel *string `json:"rel,omitempty" yaml:"rel,omitempty" xml:"rel,omitempty"` + // In case where the href points to a back-matter/resource, this value will indicate the URI + // fragment to append to any rlink associated with the resource. This value MUST be URI + // encoded. + ResourceFragment *string `json:"resource-fragment,omitempty" yaml:"resource-fragment,omitempty" xml:"resource-fragment,omitempty"` + // A textual label to associate with the link, which may be used for presentation in a tool. + Text *string `json:"text,omitempty" yaml:"text,omitempty" xml:"text,omitempty"` +} + +// An attribute, characteristic, or quality of the containing object expressed as a +// namespace qualified name/value pair. +type Property struct { + // A textual label that provides a sub-type or characterization of the property's name. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // An identifier for relating distinct sets of properties. + Group *string `json:"group,omitempty" yaml:"group,omitempty" xml:"group,omitempty"` + // A textual label, within a namespace, that uniquely identifies a specific attribute, + // characteristic, or quality of the property's containing object. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the property's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A unique identifier for a property. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` + // Indicates the value of the attribute, characteristic, or quality. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// The set of components that are used by the assessment platform. +type UsesComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } -type AssessmentSubject struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeSubjects *[]SelectSubjectById `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeSubjects *[]SelectSubjectById `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Type string `json:"type" yaml:"type"` +// A reference to a set of persons and/or organizations that have responsibility for +// performing the referenced role in the context of the containing object. +type ResponsibleParty struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids" yaml:"party-uuids" xml:"party-uuids"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A reference to a role performed by a party. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// A defined component that can be part of an implemented system. +type AssessmentAssetsComponent struct { + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // Describes the operational status of the system component. + Status ComponentStatus `json:"status" yaml:"status" xml:"status"` + // A human readable name for the system component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this component elsewhere in this or other OSCAL instances. The locally + // defined UUID of the component can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Information about the protocol used to provide a service. +type ServiceProtocolInformation struct { + // The common name of the protocol, which should be the appropriate "service name" from the + // IANA Service Name and Transport Protocol Port Number Registry. + Name string `json:"name" yaml:"name" xml:"name"` + PortRanges []PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty" xml:"port-ranges,omitempty"` + // A human readable name for the protocol (e.g., Transport Layer Security). + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this service protocol information elsewhere in this or other OSCAL + // instances. The locally defined UUID of the service protocol can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Where applicable this is the IPv4 port range on which the service operates. +type PortRange struct { + // Indicates the ending port number in a port range + End *int64 `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + // Indicates the starting port number in a port range + Start *int64 `json:"start,omitempty" yaml:"start,omitempty" xml:"start,omitempty"` + // Indicates the transport type. + Transport *Transport `json:"transport,omitempty" yaml:"transport,omitempty" xml:"transport,omitempty"` } +// A reference to a role with responsibility for performing a function relative to the +// containing object, optionally associated with a set of persons and/or organizations that +// perform that role. +type ResponsibleRole struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + PartyUuids []string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty" xml:"party-uuids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human-oriented identifier reference to a role performed. + RoleID string `json:"role-id" yaml:"role-id" xml:"role-id"` +} + +// Describes the operational status of the system component. +type ComponentStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The operational status. + State PurpleState `json:"state" yaml:"state" xml:"state"` +} + +// Identifies system elements being assessed, such as components, inventory items, and +// locations. In the assessment plan, this identifies a planned assessment subject. In the +// assessment results this is an actual assessment subject, and reflects any changes from +// the plan. exactly what will be the focus of this assessment. Any subjects not identified +// in this way are out-of-scope. +type SubjectOfAssessment struct { + // A human-readable description of the collection of subjects being included in this + // assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty" yaml:"exclude-subjects,omitempty" xml:"exclude-subjects,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty" yaml:"include-subjects,omitempty" xml:"include-subjects,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Indicates the type of assessment subject, such as a component, inventory, item, location, + // or party represented by this selection statement. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// Identifies a set of assessment subjects to include/exclude by UUID. +type SelectAssessmentSubject struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// Include all controls from the imported catalog or profile resources. +type IncludeAll struct { +} + +// A collection of resources that may be referenced from within the OSCAL document instance. type BackMatter struct { - Resources *[]Resource `json:"resources,omitempty" yaml:"resources,omitempty"` -} - -type ImportSsp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type LocalDefinitions struct { - Activities *[]Activity `json:"activities,omitempty" yaml:"activities,omitempty"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - ObjectivesAndMethods *[]LocalObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users *[]SystemUser `json:"users,omitempty" yaml:"users,omitempty"` -} - -type Metadata struct { - Actions *[]Action `json:"actions,omitempty" yaml:"actions,omitempty"` - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified" yaml:"last-modified"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Locations *[]Location `json:"locations,omitempty" yaml:"locations,omitempty"` - OscalVersion string `json:"oscal-version" yaml:"oscal-version"` - Parties *[]Party `json:"parties,omitempty" yaml:"parties,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Revisions *[]RevisionHistoryEntry `json:"revisions,omitempty" yaml:"revisions,omitempty"` - Roles *[]Role `json:"roles,omitempty" yaml:"roles,omitempty"` - Title string `json:"title" yaml:"title"` - Version string `json:"version" yaml:"version"` -} - -type ReviewedControls struct { - ControlObjectiveSelections *[]ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Task struct { - AssociatedActivities *[]AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty"` - Dependencies *[]TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type AssessmentPlanTermsAndConditions struct { - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` -} - -type ImportAp struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type Result struct { - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty"` - Attestations *[]AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty"` - Description string `json:"description" yaml:"description"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Findings *[]Finding `json:"findings,omitempty" yaml:"findings,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocalDefinitions *LocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty"` - Observations *[]Observation `json:"observations,omitempty" yaml:"observations,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ReviewedControls ReviewedControls `json:"reviewed-controls" yaml:"reviewed-controls"` - Risks *[]Risk `json:"risks,omitempty" yaml:"risks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Control struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type Group struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Controls *[]Control `json:"controls,omitempty" yaml:"controls,omitempty"` - Groups *[]Group `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` + Resources []Resource `json:"resources,omitempty" yaml:"resources,omitempty" xml:"resources,omitempty"` } -type Parameter struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - ID string `json:"id" yaml:"id"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type Capability struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - IncorporatesComponents *[]IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DefinedComponent struct { - ControlImplementations *[]ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImportComponentDefinition struct { - Href string `json:"href" yaml:"href"` -} - -type Finding struct { - Description string `json:"description" yaml:"description"` - ImplementationStatementUuid string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Target FindingTarget `json:"target" yaml:"target"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PlanOfActionAndMilestonesLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty"` - Components *[]SystemComponent `json:"components,omitempty" yaml:"components,omitempty"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A resource associated with content in the containing document instance. A resource may be +// directly included in the document using base64 encoding or may point to one or more +// equivalent internet resources. +type Resource struct { + // A resource encoded using the Base64 alphabet defined by RFC 2045. + Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty" xml:"base64,omitempty"` + // An optional citation consisting of end note text using structured markup. + Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty" xml:"citation,omitempty"` + // An optional short summary of the resource used to indicate the purpose of the resource. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Rlinks []ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty" xml:"rlinks,omitempty"` + // An optional name given to the resource, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A unique identifier for a resource. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A resource encoded using the Base64 alphabet defined by RFC 2045. +type Base64 struct { + // Name of the file before it was encoded as Base64 to be embedded in a resource. This is + // the name that will be assigned to the file when the file is decoded. + Filename *string `json:"filename,omitempty" yaml:"filename,omitempty" xml:"filename,omitempty"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` + Value string `json:"value" yaml:"value" xml:"value"` } -type Observation struct { - Collected time.Time `json:"collected" yaml:"collected"` - Description string `json:"description" yaml:"description"` - Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Methods []string `json:"methods" yaml:"methods"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelevantEvidence *[]RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Types *[]string `json:"types,omitempty" yaml:"types,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PoamItem struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedFindings *[]RelatedFinding `json:"related-findings,omitempty" yaml:"related-findings,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - RelatedRisks *[]AssociatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} - -type Risk struct { - Characterizations *[]Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty"` - Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - MitigatingFactors *[]MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedObservations *[]RelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty"` - Remediations *[]Response `json:"remediations,omitempty" yaml:"remediations,omitempty"` - RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty"` - Statement string `json:"statement" yaml:"statement"` - Status string `json:"status" yaml:"status"` - ThreatIds *[]ThreatId `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemId struct { - ID string `json:"id" yaml:"id"` - IdentifierType string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty"` -} - -type Import struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - Href string `json:"href" yaml:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` -} - -type Merge struct { - AsIs bool `json:"as-is,omitempty" yaml:"as-is,omitempty"` - Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty"` - Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty"` - Flat *FlatWithoutGrouping `json:"flat,omitempty" yaml:"flat,omitempty"` -} - -type Modify struct { - Alters *[]Alteration `json:"alters,omitempty" yaml:"alters,omitempty"` - SetParameters *[]ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` -} - -type ControlImplementation struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirement `json:"implemented-requirements" yaml:"implemented-requirements"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` +// An optional citation consisting of end note text using structured markup. +type Citation struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A line of citation text. + Text string `json:"text" yaml:"text" xml:"text"` } -type ImportProfile struct { - Href string `json:"href" yaml:"href"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A document identifier qualified by an identifier scheme. +type DocumentIdentifier struct { + Identifier string `json:"identifier" yaml:"identifier" xml:"identifier"` + // Qualifies the kind of document identifier using a URI. If the scheme is not provided the + // value of the element will be interpreted as a string of characters. + Scheme *string `json:"scheme,omitempty" yaml:"scheme,omitempty" xml:"scheme,omitempty"` } -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty"` - DateAuthorized string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty" yaml:"security-impact-level,omitempty"` - SecuritySensitivityLevel string `json:"security-sensitivity-level,omitempty" yaml:"security-sensitivity-level,omitempty"` - Status Status `json:"status" yaml:"status"` - SystemIds []SystemId `json:"system-ids" yaml:"system-ids"` - SystemInformation SystemInformation `json:"system-information" yaml:"system-information"` - SystemName string `json:"system-name" yaml:"system-name"` - SystemNameShort string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty"` +// A URL-based pointer to an external resource with an optional hash for verification and +// change detection. +type ResourceLink struct { + Hashes []Hash `json:"hashes,omitempty" yaml:"hashes,omitempty" xml:"hashes,omitempty"` + // A resolvable URL pointing to the referenced resource. + Href string `json:"href" yaml:"href" xml:"href"` + // A label that indicates the nature of a resource, as a data serialization or format. + MediaType *string `json:"media-type,omitempty" yaml:"media-type,omitempty" xml:"media-type,omitempty"` } -type SystemImplementation struct { - Components []SystemComponent `json:"components" yaml:"components"` - InventoryItems *[]InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty"` - LeveragedAuthorizations *[]LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Users []SystemUser `json:"users" yaml:"users"` -} - -type AssessmentPlatform struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UsesComponents *[]UsesComponent `json:"uses-components,omitempty" yaml:"uses-components,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SystemComponent struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Protocols *[]Protocol `json:"protocols,omitempty" yaml:"protocols,omitempty"` - Purpose string `json:"purpose,omitempty" yaml:"purpose,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Status SystemComponentStatus `json:"status" yaml:"status"` - Title string `json:"title" yaml:"title"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SelectSubjectById struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Type string `json:"type" yaml:"type"` -} - -type IncludeAll = map[string]interface{} - -type Link struct { - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Rel string `json:"rel,omitempty" yaml:"rel,omitempty"` - ResourceFragment string `json:"resource-fragment,omitempty" yaml:"resource-fragment,omitempty"` - Text string `json:"text,omitempty" yaml:"text,omitempty"` +// A representation of a cryptographic digest generated over a resource using a specified +// hash algorithm. +type Hash struct { + // The digest method by which a hash is derived. + Algorithm string `json:"algorithm" yaml:"algorithm" xml:"algorithm"` + Value string `json:"value" yaml:"value" xml:"value"` } -type Property struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Group string `json:"group,omitempty" yaml:"group,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` - Value string `json:"value" yaml:"value"` +// Used by the assessment plan and POA&M to import information about the system. +type ImportSystemSecurityPlan struct { + // A resolvable URL reference to the system security plan for the system being assessed. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } -type Resource struct { - Base64 *Base64 `json:"base64,omitempty" yaml:"base64,omitempty"` - Citation *Citation `json:"citation,omitempty" yaml:"citation,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - DocumentIds *[]DocumentId `json:"document-ids,omitempty" yaml:"document-ids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Rlinks *[]ResourceLink `json:"rlinks,omitempty" yaml:"rlinks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentPlanLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } +// Identifies an assessment or related process that can be performed. In the assessment +// plan, this is an intended activity which may be associated with an assessment task. In +// the assessment results, this an activity that was actually performed as part of an +// assessment. type Activity struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedControls *ReviewedControls `json:"related-controls,omitempty" yaml:"related-controls,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Steps *[]Step `json:"steps,omitempty" yaml:"steps,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - + // A human-readable description of this included activity. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty" yaml:"related-controls,omitempty" xml:"related-controls,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Steps []Step `json:"steps,omitempty" yaml:"steps,omitempty" xml:"steps,omitempty"` + // The title for this included activity. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment activity elsewhere in this or other OSCAL instances. The + // locally defined UUID of the activity can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the controls being assessed and their control objectives. +type ReviewedControlsAndControlObjectives struct { + ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty" yaml:"control-objective-selections,omitempty" xml:"control-objective-selections,omitempty"` + ControlSelections []AssessedControls `json:"control-selections" yaml:"control-selections" xml:"control-selections"` + // A human-readable description of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Identifies the control objectives of the assessment. In the assessment plan, these are +// the planned objectives. In the assessment results, these are the assessed objectives, and +// reflects any changes from the plan. +type ReferencedControlObjectives struct { + // A human-readable description of this collection of control objectives. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty" xml:"exclude-objectives,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeObjectives []SelectObjective `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty" xml:"include-objectives,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control objective for inclusion/exclusion based on the control +// objective's identifier. +type SelectObjective struct { + // Points to an assessment objective. + ObjectiveID string `json:"objective-id" yaml:"objective-id" xml:"objective-id"` +} + +// Identifies the controls being assessed. In the assessment plan, these are the planned +// controls. In the assessment results, these are the actual controls, and reflects any +// changes from the plan. +type AssessedControls struct { + // A human-readable description of in-scope controls specified for assessment. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ExcludeControls []ControlSelectionExcludeControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []ControlSelectionExcludeControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to select a control for inclusion/exclusion based on one or more control +// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +// to only specific control statements providing more granularity over the specific +// statements that are within the asessment scope. +type ControlSelectionExcludeControl struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + StatementIDS []string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty" xml:"statement-ids,omitempty"` +} + +// Identifies an individual step in a series of steps related to an activity, such as an +// assessment test or examination procedure. +type Step struct { + // A human-readable description of this step. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty" xml:"reviewed-controls,omitempty"` + // The title for this step. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this step elsewhere in this or other OSCAL instances. The locally defined + // UUID of the step (in a series of steps) can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A single managed inventory item within the system. type InventoryItem struct { - Description string `json:"description" yaml:"description"` - ImplementedComponents *[]ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type LocalObjective struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Parts []Part `json:"parts" yaml:"parts"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - + // A summary of the inventory item stating its purpose within the system. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty" yaml:"implemented-components,omitempty" xml:"implemented-components,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inventory item elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inventory item can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The set of components that are implemented in a given system inventory item. +type ImplementedComponent struct { + // A machine-oriented identifier reference to a component that is implemented as part of an + // inventory item. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` +} + +// A local definition of a control objective for this assessment. Uses catalog syntax for +// control objective and assessment actions. +type AssessmentSpecificControlObjective struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A human-readable description of this control objective. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Parts []PartElement `json:"parts" yaml:"parts" xml:"parts"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// An annotated, markup-based textual element of a control's or catalog group's definition, +// or a child of another part. +type PartElement struct { + // An optional textual providing a sub-type or characterization of the part's name, or a + // category to which the part belongs. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + // A unique identifier for the part. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type, which exists in a + // value space qualified by the ns. + Name string `json:"name" yaml:"name" xml:"name"` + // An optional namespace qualifying the part's name. This allows different organizations to + // associate distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // An optional name given to the part, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// A type of user that interacts with the system based on an associated role. type SystemUser struct { - AuthorizedPrivileges *[]AuthorizedPrivilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleIds *[]string `json:"role-ids,omitempty" yaml:"role-ids,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - + AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty" yaml:"authorized-privileges,omitempty" xml:"authorized-privileges,omitempty"` + // A summary of the user's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RoleIDS []string `json:"role-ids,omitempty" yaml:"role-ids,omitempty" xml:"role-ids,omitempty"` + // A short common name, abbreviation, or acronym for the user. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the user, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this user class elsewhere in this or other OSCAL instances. The locally + // defined UUID of the system user can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies a specific system privilege held by the user, along with an associated +// description and/or rationale for the privilege. +type Privilege struct { + // A summary of the privilege's purpose within the system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed" xml:"functions-performed"` + // A human readable name for the privilege. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Provides information about the containing document, and defines concepts that are shared +// across the document. +type DocumentMetadata struct { + Actions []Action `json:"actions,omitempty" yaml:"actions,omitempty" xml:"actions,omitempty"` + DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty" yaml:"document-ids,omitempty" xml:"document-ids,omitempty"` + LastModified time.Time `json:"last-modified" yaml:"last-modified" xml:"last-modified"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Locations []Location `json:"locations,omitempty" yaml:"locations,omitempty" xml:"locations,omitempty"` + OscalVersion string `json:"oscal-version" yaml:"oscal-version" xml:"oscal-version"` + Parties []PartyElement `json:"parties,omitempty" yaml:"parties,omitempty" xml:"parties,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Revisions []RevisionHistoryEntry `json:"revisions,omitempty" yaml:"revisions,omitempty" xml:"revisions,omitempty"` + Roles []Role `json:"roles,omitempty" yaml:"roles,omitempty" xml:"roles,omitempty"` + // A name given to the document, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// An action applied by a role within a given party to the content. type Action struct { - Date *time.Time `json:"date,omitempty" yaml:"date,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - System string `json:"system" yaml:"system"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type DocumentId struct { - Identifier string `json:"identifier" yaml:"identifier"` - Scheme string `json:"scheme,omitempty" yaml:"scheme,omitempty"` -} - + // The date and time when the action occurred. + Date *time.Time `json:"date,omitempty" yaml:"date,omitempty" xml:"date,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + // Specifies the action type system used. + System string `json:"system" yaml:"system" xml:"system"` + // The type of action documented by the assembly, such as an approval. + Type string `json:"type" yaml:"type" xml:"type"` + // A unique identifier that can be used to reference this defined action elsewhere in an + // OSCAL document. A UUID should be consistently used for a given location across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A physical point of presence, which may be associated with people, organizations, or +// other concepts within the current or linked OSCAL document. type Location struct { - Address *Address `json:"address,omitempty" yaml:"address,omitempty"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Urls *[]string `json:"urls,omitempty" yaml:"urls,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Party struct { - Addresses *[]Address `json:"addresses,omitempty" yaml:"addresses,omitempty"` - EmailAddresses *[]string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty"` - ExternalIds *[]PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LocationUuids *[]string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty"` - MemberOfOrganizations *[]string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty"` - Name string `json:"name,omitempty" yaml:"name,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - TelephoneNumbers *[]TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty"` - Type string `json:"type" yaml:"type"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ResponsibleParty struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids []string `json:"party-uuids" yaml:"party-uuids"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` + Address *Address `json:"address,omitempty" yaml:"address,omitempty" xml:"address,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A name given to the location, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Urls []string `json:"urls,omitempty" yaml:"urls,omitempty" xml:"urls,omitempty"` + // A unique ID for the location, for reference. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A postal address for the location. +type Address struct { + AddrLines []string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty" xml:"addr-lines,omitempty"` + // City, town or geographical region for the mailing address. + City *string `json:"city,omitempty" yaml:"city,omitempty" xml:"city,omitempty"` + // The ISO 3166-1 alpha-2 country code for the mailing address. + Country *string `json:"country,omitempty" yaml:"country,omitempty" xml:"country,omitempty"` + // Postal or ZIP code for mailing address. + PostalCode *string `json:"postal-code,omitempty" yaml:"postal-code,omitempty" xml:"postal-code,omitempty"` + // State, province or analogous geographical region for a mailing address. + State *string `json:"state,omitempty" yaml:"state,omitempty" xml:"state,omitempty"` + // Indicates the type of address. + Type *string `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// A telephone service number as defined by ITU-T E.164. +type TelephoneNumber struct { + Number string `json:"number" yaml:"number" xml:"number"` + // Indicates the type of phone number. + Type *string `json:"type,omitempty" yaml:"type,omitempty" xml:"type,omitempty"` +} + +// An organization or person, which may be associated with roles or other concepts within +// the current or linked OSCAL document. +type PartyElement struct { + Addresses []Address `json:"addresses,omitempty" yaml:"addresses,omitempty" xml:"addresses,omitempty"` + EmailAddresses []string `json:"email-addresses,omitempty" yaml:"email-addresses,omitempty" xml:"email-addresses,omitempty"` + ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty" yaml:"external-ids,omitempty" xml:"external-ids,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LocationUuids []string `json:"location-uuids,omitempty" yaml:"location-uuids,omitempty" xml:"location-uuids,omitempty"` + MemberOfOrganizations []string `json:"member-of-organizations,omitempty" yaml:"member-of-organizations,omitempty" xml:"member-of-organizations,omitempty"` + // The full name of the party. This is typically the legal name associated with the party. + Name *string `json:"name,omitempty" yaml:"name,omitempty" xml:"name,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the party. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty" yaml:"telephone-numbers,omitempty" xml:"telephone-numbers,omitempty"` + // A category describing the kind of party the object describes. + Type PartyType `json:"type" yaml:"type" xml:"type"` + // A unique identifier for the party. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// An identifier for a person or organization using a designated scheme. e.g. an Open +// Researcher and Contributor ID (ORCID). +type PartyExternalIdentifier struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Indicates the type of external identifier. + Scheme string `json:"scheme" yaml:"scheme" xml:"scheme"` } +// An entry in a sequential list of revisions to the containing document, expected to be in +// reverse chronological order (i.e. latest first). type RevisionHistoryEntry struct { - LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - OscalVersion string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Published *time.Time `json:"published,omitempty" yaml:"published,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Version string `json:"version" yaml:"version"` -} - + LastModified *time.Time `json:"last-modified,omitempty" yaml:"last-modified,omitempty" xml:"last-modified,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + OscalVersion *string `json:"oscal-version,omitempty" yaml:"oscal-version,omitempty" xml:"oscal-version,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Published *time.Time `json:"published,omitempty" yaml:"published,omitempty" xml:"published,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A name given to the document revision, which may be used by a tool for display and + // navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Version string `json:"version" yaml:"version" xml:"version"` +} + +// Defines a function, which might be assigned to a party in a specific situation. type Role struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ID string `json:"id" yaml:"id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ShortName string `json:"short-name,omitempty" yaml:"short-name,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type ReferencedControlObjectives struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeObjectives *[]SelectObjectiveById `json:"exclude-objectives,omitempty" yaml:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeObjectives *[]SelectObjectiveById `json:"include-objectives,omitempty" yaml:"include-objectives,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type AssessedControls struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ExcludeControls *[]AssessedControlsSelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]AssessedControlsSelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - + // A summary of the role's purpose and associated responsibilities. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // A unique identifier for the role. + ID string `json:"id" yaml:"id" xml:"id"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A short common name, abbreviation, or acronym for the role. + ShortName *string `json:"short-name,omitempty" yaml:"short-name,omitempty" xml:"short-name,omitempty"` + // A name given to the role, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Represents a scheduled event or milestone, which may be associated with a series of +// assessment actions. +type Task struct { + AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty" yaml:"associated-activities,omitempty" xml:"associated-activities,omitempty"` + Dependencies []TaskDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty" xml:"dependencies,omitempty"` + // A human-readable description of this task. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The timing under which the task is intended to occur. + Timing *EventTiming `json:"timing,omitempty" yaml:"timing,omitempty" xml:"timing,omitempty"` + // The title for this task. + Title string `json:"title" yaml:"title" xml:"title"` + // The type of task. + Type string `json:"type" yaml:"type" xml:"type"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this task elsewhere in this or other OSCAL instances. The locally defined + // UUID of the task can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual activity to be performed as part of a task. type AssociatedActivity struct { - ActivityUuid string `json:"activity-uuid" yaml:"activity-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` + // A machine-oriented identifier reference to an activity defined in the list of activities. + ActivityUUID string `json:"activity-uuid" yaml:"activity-uuid" xml:"activity-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } +// Used to indicate that a task is dependent on another task. type TaskDependency struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` -} - -type ResponsibleRole struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuids *[]string `json:"party-uuids,omitempty" yaml:"party-uuids,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RoleId string `json:"role-id" yaml:"role-id"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` } +// The timing under which the task is intended to occur. type EventTiming struct { - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty"` - OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty"` - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty"` + // The task is intended to occur at the specified frequency. + AtFrequency *FrequencyCondition `json:"at-frequency,omitempty" yaml:"at-frequency,omitempty" xml:"at-frequency,omitempty"` + // The task is intended to occur on the specified date. + OnDate *OnDateCondition `json:"on-date,omitempty" yaml:"on-date,omitempty" xml:"on-date,omitempty"` + // The task is intended to occur within the specified date range. + WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty" yaml:"within-date-range,omitempty" xml:"within-date-range,omitempty"` } -type AssessmentPart struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` +// The task is intended to occur at the specified frequency. +type FrequencyCondition struct { + // The task must occur after the specified period has elapsed. + Period int64 `json:"period" yaml:"period" xml:"period"` + // The unit of time for the period. + Unit TimeUnit `json:"unit" yaml:"unit" xml:"unit"` } -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries" yaml:"entries"` +// The task is intended to occur on the specified date. +type OnDateCondition struct { + // The task must occur on the specified date. + Date time.Time `json:"date" yaml:"date" xml:"date"` } -type AttestationStatements struct { - Parts []AssessmentPart `json:"parts" yaml:"parts"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` +// The task is intended to occur within the specified date range. +type OnDateRangeCondition struct { + // The task must occur on or before the specified date. + End time.Time `json:"end" yaml:"end" xml:"end"` + // The task must occur on or after the specified date. + Start time.Time `json:"start" yaml:"start" xml:"start"` } -type Part struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Ns string `json:"ns,omitempty" yaml:"ns,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Prose string `json:"prose,omitempty" yaml:"prose,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` +// Used to define various terms and conditions under which an assessment, described by the +// plan, can be performed. Each child part defines a different type of term or condition. +type AssessmentPlanTermsAndConditions struct { + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` } -type ParameterConstraint struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Tests *[]ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty"` +// A partition of an assessment plan or results or a child of another part. +type AssessmentPart struct { + // A textual label that provides a sub-type or characterization of the part's name. This can + // be used to further distinguish or discriminate between the semantics of multiple parts of + // the same control with the same name and ns. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A textual label that uniquely identifies the part's semantic type. + Name string `json:"name" yaml:"name" xml:"name"` + // A namespace qualifying the part's name. This allows different organizations to associate + // distinct semantics with the same name. + NS *string `json:"ns,omitempty" yaml:"ns,omitempty" xml:"ns,omitempty"` + Parts []AssessmentPart `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // Permits multiple paragraphs, lists, tables etc. + Prose *string `json:"prose,omitempty" yaml:"prose,omitempty" xml:"prose,omitempty"` + // A name given to the part, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this part elsewhere in this or other OSCAL instances. The locally defined + // UUID of the part can be used to reference the data item locally or globally (e.g., in an + // ported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +// Security Assessment Report. +type SecurityAssessmentResultsSAR struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ImportAp ImportAssessmentPlan `json:"import-ap" yaml:"import-ap" xml:"import-ap"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Results []AssessmentResult `json:"results" yaml:"results" xml:"results"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this assessment results instance in this or other OSCAL instances. The + // locally defined UUID of the assessment result can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used by assessment-results to import information about the original plan for assessing +// the system. +type ImportAssessmentPlan struct { + // A resolvable URL reference to the assessment plan governing the assessment activities. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type AssessmentResultsLocalDefinitions struct { + Activities []Activity `json:"activities,omitempty" yaml:"activities,omitempty" xml:"activities,omitempty"` + ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty" yaml:"objectives-and-methods,omitempty" xml:"objectives-and-methods,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Used by the assessment results and POA&M. In the assessment results, this identifies all +// of the assessment observations and findings, initial and residual risks, deviations, and +// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +// disposition. +type AssessmentResult struct { + // A log of all assessment-related actions taken. + AssessmentLog *AssessmentLog `json:"assessment-log,omitempty" yaml:"assessment-log,omitempty" xml:"assessment-log,omitempty"` + Attestations []AttestationStatements `json:"attestations,omitempty" yaml:"attestations,omitempty" xml:"attestations,omitempty"` + // A human-readable description of this set of test results. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time stamp identifying the end of the evidence collection reflected in these + // results. In a continuous motoring scenario, this may contain the same value as start if + // appropriate. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Findings []Finding `json:"findings,omitempty" yaml:"findings,omitempty" xml:"findings,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // Used to define data objects that are used in the assessment plan, that do not appear in + // the referenced SSP. + LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls" yaml:"reviewed-controls" xml:"reviewed-controls"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + // Date/time stamp identifying the start of the evidence collection reflected in these + // results. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this set of results. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this set of results in this or other OSCAL instances. The locally defined + // UUID of the assessment result can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all assessment-related actions taken. +type AssessmentLog struct { + Entries []AssessmentLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type ParameterGuideline struct { - Prose string `json:"prose" yaml:"prose"` +// Identifies the result of an action and/or task that occurred as part of executing an +// assessment plan or an assessment event that occurred in producing the assessment results. +type AssessmentLogEntry struct { + // A human-readable description of this event. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of an event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of an event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + // The title for this event. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference an assessment event in this or other OSCAL instances. The locally defined + // UUID of the assessment log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to indicate who created a log entry in what role. +type LoggedBy struct { + // A machine-oriented identifier reference to the party who is making the log entry. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + // A point to the role-id of the role in which the party is making the log entry. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` +} + +// Identifies an individual task for which the containing object is a consequence of. +type TaskReference struct { + // Used to detail assessment subjects that were identfied by this task. + IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty" xml:"identified-subject,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + Subjects []SubjectOfAssessment `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented identifier reference to a unique task. + TaskUUID string `json:"task-uuid" yaml:"task-uuid" xml:"task-uuid"` +} + +// Used to detail assessment subjects that were identfied by this task. +type IdentifiedSubject struct { + // A machine-oriented identifier reference to a unique assessment subject placeholder + // defined by this task. + SubjectPlaceholderUUID string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid" xml:"subject-placeholder-uuid"` + Subjects []SubjectOfAssessment `json:"subjects" yaml:"subjects" xml:"subjects"` } -type ParameterSelection struct { - Choice *[]string `json:"choice,omitempty" yaml:"choice,omitempty"` - HowMany string `json:"how-many,omitempty" yaml:"how-many,omitempty"` +// A set of textual statements, typically written by the assessor. +type AttestationStatements struct { + Parts []AssessmentPart `json:"parts" yaml:"parts" xml:"parts"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` } -type ControlImplementationSet struct { - Description string `json:"description" yaml:"description"` - ImplementedRequirements []ImplementedRequirementControlImplementation `json:"implemented-requirements" yaml:"implemented-requirements"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Source string `json:"source" yaml:"source"` - UUID string `json:"uuid" yaml:"uuid"` +// Describes an individual finding. +type Finding struct { + // A human-readable description of this finding. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented identifier reference to the implementation statement in the SSP to + // which this finding is related. + ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty" yaml:"implementation-statement-uuid,omitempty" xml:"implementation-statement-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Target TargetClass `json:"target" yaml:"target" xml:"target"` + // The title for this finding. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this finding in this or other OSCAL instances. The locally defined UUID of + // the finding can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the source of the finding, such as a tool, interviewed person, or activity. +type FindingOrigin struct { + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` +} + +// The actor that produces an observation, a finding, or a risk. One or more actor type can +// be used to specify a person that is using a tool. +type OriginatingActor struct { + // A machine-oriented identifier reference to the tool or person based on the associated + // type. + ActorUUID string `json:"actor-uuid" yaml:"actor-uuid" xml:"actor-uuid"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // For a party, this can optionally be used to specify the role the actor was performing. + RoleID *string `json:"role-id,omitempty" yaml:"role-id,omitempty" xml:"role-id,omitempty"` + // The kind of actor. + Type ActorType `json:"type" yaml:"type" xml:"type"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type FindingRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Relates the finding to a set of referenced risks that were used to determine the finding. +type FindingRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` +} + +// Captures an assessor's conclusions regarding the degree to which an objective is +// satisfied. +type TargetClass struct { + // A human-readable description of the assessor's conclusions regarding the degree to which + // an objective is satisfied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A determination of if the objective is satisfied or not within a given system. + Status StatusClass `json:"status" yaml:"status" xml:"status"` + // A machine-oriented identifier reference for a specific target qualified by the type. + TargetID string `json:"target-id" yaml:"target-id" xml:"target-id"` + // The title for this objective status. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Identifies the type of the target. + Type FindingTargetType `json:"type" yaml:"type" xml:"type"` +} + +// Indicates the degree to which the a given control is implemented. +type ImplementationStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the implementation status of the control or control objective. + State string `json:"state" yaml:"state" xml:"state"` } -type IncorporatesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` +// A determination of if the objective is satisfied or not within a given system. +type StatusClass struct { + // The reason the objective was given it's status. + Reason *string `json:"reason,omitempty" yaml:"reason,omitempty" xml:"reason,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // An indication as to whether the objective is satisfied or not. + State ObjectiveStatusState `json:"state" yaml:"state" xml:"state"` } -type Protocol struct { - Name string `json:"name" yaml:"name"` - PortRanges *[]PortRange `json:"port-ranges,omitempty" yaml:"port-ranges,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` +// Used to define data objects that are used in the assessment plan, that do not appear in +// the referenced SSP. +type ResultLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + Users []SystemUser `json:"users,omitempty" yaml:"users,omitempty" xml:"users,omitempty"` } -type Origin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` +// Describes an individual observation. +type Observation struct { + // Date/time stamp identifying when the finding information was collected. + Collected time.Time `json:"collected" yaml:"collected" xml:"collected"` + // A human-readable description of this assessment observation. + Description string `json:"description" yaml:"description" xml:"description"` + // Date/time identifying when the finding information is out-of-date and no longer valid. + // Typically used with continuous assessment scenarios. + Expires *time.Time `json:"expires,omitempty" yaml:"expires,omitempty" xml:"expires,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Methods []string `json:"methods" yaml:"methods" xml:"methods"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty" yaml:"relevant-evidence,omitempty" xml:"relevant-evidence,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this observation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + Types []string `json:"types,omitempty" yaml:"types,omitempty" xml:"types,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this observation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the observation can be used to reference the data item locally or + // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Links this observation to relevant evidence. +type RelevantEvidence struct { + // A human-readable description of this evidence. + Description string `json:"description" yaml:"description" xml:"description"` + // A resolvable URL reference to relevant evidence. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A human-oriented identifier reference to a resource. Use type to indicate whether the +// identified resource is a component, inventory item, location, user, or something else. +type IdentifiesTheSubject struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a component, inventory-item, location, party, + // user, or resource using it's UUID. + SubjectUUID string `json:"subject-uuid" yaml:"subject-uuid" xml:"subject-uuid"` + // The title or name for the referenced subject. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // Used to indicate the type of object pointed to by the uuid-ref within a subject. + Type string `json:"type" yaml:"type" xml:"type"` +} + +// An identified risk. +type IdentifiedRisk struct { + Characterizations []Characterization `json:"characterizations,omitempty" yaml:"characterizations,omitempty" xml:"characterizations,omitempty"` + // The date/time by which the risk must be resolved. + Deadline *time.Time `json:"deadline,omitempty" yaml:"deadline,omitempty" xml:"deadline,omitempty"` + // A human-readable summary of the identified risk, to include a statement of how the risk + // impacts the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty" yaml:"mitigating-factors,omitempty" xml:"mitigating-factors,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + Remediations []RiskResponse `json:"remediations,omitempty" yaml:"remediations,omitempty" xml:"remediations,omitempty"` + // A log of all risk-related tasks taken. + RiskLog *RiskLog `json:"risk-log,omitempty" yaml:"risk-log,omitempty" xml:"risk-log,omitempty"` + // An summary of impact for how the risk affects the system. + Statement string `json:"statement" yaml:"statement" xml:"statement"` + Status string `json:"status" yaml:"status" xml:"status"` + ThreatIDS []ThreatID `json:"threat-ids,omitempty" yaml:"threat-ids,omitempty" xml:"threat-ids,omitempty"` + // The title for this risk. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk elsewhere in this or other OSCAL instances. The locally defined + // UUID of the risk can be used to reference the data item locally or globally (e.g., in an + // imported OSCAL instance). This UUID should be assigned per-subject, which means it should + // be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A collection of descriptive data about the containing object from a specific origin. +type Characterization struct { + Facets []Facet `json:"facets" yaml:"facets" xml:"facets"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origin FindingOrigin `json:"origin" yaml:"origin" xml:"origin"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type RelatedObservation struct { - ObservationUuid string `json:"observation-uuid" yaml:"observation-uuid"` +// An individual characteristic that is part of a larger set produced by the same actor. +type Facet struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The name of the risk metric within the specified system. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Specifies the naming system under which this risk metric is organized, which allows for + // the same names to be used in different systems controlled by different parties. This + // avoids the potential of a name clash. + System string `json:"system" yaml:"system" xml:"system"` + // Indicates the value of the facet. + Value string `json:"value" yaml:"value" xml:"value"` +} + +// Describes an existing mitigating factor that may affect the overall determination of the +// risk, with an optional link to an implementation statement in the SSP. +type MitigatingFactor struct { + // A human-readable description of this mitigating factor. + Description string `json:"description" yaml:"description" xml:"description"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this implementation statement elsewhere in this or other OSCAL instancess. + // The locally defined UUID of the implementation statement can be used to reference the + // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + ImplementationUUID *string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty" xml:"implementation-uuid,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this mitigating factor elsewhere in this or other OSCAL instances. The + // locally defined UUID of the mitigating factor can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Relates the finding to a set of referenced observations that were used to determine the +// finding. +type RiskRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` +} + +// Describes either recommended or an actual plan for addressing the risk. +type RiskResponse struct { + // A human-readable description of this response plan. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies whether this is a recommendation, such as from an assessor or tool, or an + // actual plan accepted by the system owner. + Lifecycle string `json:"lifecycle" yaml:"lifecycle" xml:"lifecycle"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []FindingOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + RequiredAssets []RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty" xml:"required-assets,omitempty"` + Tasks []Task `json:"tasks,omitempty" yaml:"tasks,omitempty" xml:"tasks,omitempty"` + // The title for this response activity. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this remediation elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk response can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an asset required to achieve remediation. +type RequiredAsset struct { + // A human-readable description of this required asset. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Subjects []IdentifiesTheSubject `json:"subjects,omitempty" yaml:"subjects,omitempty" xml:"subjects,omitempty"` + // The title for this required asset. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this required asset elsewhere in this or other OSCAL instances. The locally + // defined UUID of the asset can be used to reference the data item locally or globally + // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + // means it should be consistently used to identify the same subject across revisions of the + // document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A log of all risk-related tasks taken. +type RiskLog struct { + Entries []RiskLogEntry `json:"entries" yaml:"entries" xml:"entries"` } -type AssociatedRisk struct { - RiskUuid string `json:"risk-uuid" yaml:"risk-uuid"` +// Identifies an individual risk response that occurred as part of managing an identified +// risk. +type RiskLogEntry struct { + // A human-readable description of what was done regarding the risk. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + // Identifies the end date and time of the event. If the event is a point in time, the start + // and end will be the same date and time. + End *time.Time `json:"end,omitempty" yaml:"end,omitempty" xml:"end,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + LoggedBy []LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty" xml:"logged-by,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedResponses []RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty" xml:"related-responses,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Identifies the start date and time of the event. + Start time.Time `json:"start" yaml:"start" xml:"start"` + StatusChange *string `json:"status-change,omitempty" yaml:"status-change,omitempty" xml:"status-change,omitempty"` + // The title for this risk log entry. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the risk log entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies an individual risk response that this log entry is for. +type RiskResponseReference struct { + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedTasks []TaskReference `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty" xml:"related-tasks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a unique risk response. + ResponseUUID string `json:"response-uuid" yaml:"response-uuid" xml:"response-uuid"` } -type FindingTarget struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Status ObjectiveStatus `json:"status" yaml:"status"` - TargetId string `json:"target-id" yaml:"target-id"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` +// A pointer, by ID, to an externally-defined threat. +type ThreatID struct { + // An optional location for the threat data, from which this ID originates. + Href *string `json:"href,omitempty" yaml:"href,omitempty" xml:"href,omitempty"` + ID string `json:"id" yaml:"id" xml:"id"` + // Specifies the source of the threat information. + System string `json:"system" yaml:"system" xml:"system"` } -type RelevantEvidence struct { - Description string `json:"description" yaml:"description"` - Href string `json:"href,omitempty" yaml:"href,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` +// A structured, organized collection of control information. +type Catalog struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + // Provides a globally unique means to identify a given catalog instance. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` } -type SubjectReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - SubjectUuid string `json:"subject-uuid" yaml:"subject-uuid"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - Type string `json:"type" yaml:"type"` +// A structured object representing a requirement or guideline, which when implemented will +// reduce an aspect of risk related to an information system and its information. +type Control struct { + // A textual label that provides a sub-type or characterization of the control. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + // Identifies a control such that it can be referenced in the defining catalog and other + // OSCAL instances (e.g., profiles). + ID string `json:"id" yaml:"id" xml:"id"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +type Parameter struct { + // A textual label that provides a characterization of the type, purpose, use or scope of + // the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // (deprecated) Another parameter invoking this one. This construct has been deprecated and + // should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A unique identifier for the parameter. + ID string `json:"id" yaml:"id" xml:"id"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A formal or informal expression of a constraint or test. +type Constraint struct { + // A textual summary of the constraint to be applied. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Tests []ConstraintTest `json:"tests,omitempty" yaml:"tests,omitempty" xml:"tests,omitempty"` +} + +// A test expression which is expected to be evaluated by a tool. +type ConstraintTest struct { + // A formal (executable) expression of a constraint. + Expression string `json:"expression" yaml:"expression" xml:"expression"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// A prose statement that provides a recommendation for the use of a parameter. +type Guideline struct { + // Prose permits multiple paragraphs, lists, tables etc. + Prose string `json:"prose" yaml:"prose" xml:"prose"` +} + +// Presenting a choice among alternatives. +type Selection struct { + Choice []string `json:"choice,omitempty" yaml:"choice,omitempty" xml:"choice,omitempty"` + // Describes the number of selections that must occur. Without this setting, only one value + // should be assumed to be permitted. + HowMany *ParameterCardinality `json:"how-many,omitempty" yaml:"how-many,omitempty" xml:"how-many,omitempty"` +} + +// A group of controls, or of groups of controls. +type CatalogGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Controls []Control `json:"controls,omitempty" yaml:"controls,omitempty" xml:"controls,omitempty"` + Groups []CatalogGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // Identifies the group for the purpose of cross-linking within the defining instance or + // from other instances that reference the catalog. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the group, which may be used by a tool for display and navigation. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// A collection of component descriptions, which may optionally be grouped by capability. +type ComponentDefinition struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Capabilities []Capability `json:"capabilities,omitempty" yaml:"capabilities,omitempty" xml:"capabilities,omitempty"` + Components []ComponentDefinitionComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty" yaml:"import-component-definitions,omitempty" xml:"import-component-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + // Provides a globally unique means to identify a given component definition instance. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` } +// A grouping of other components and/or capabilities. +type Capability struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A summary of the capability. + Description string `json:"description" yaml:"description" xml:"description"` + IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty" yaml:"incorporates-components,omitempty" xml:"incorporates-components,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // The capability's human-readable name. + Name string `json:"name" yaml:"name" xml:"name"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // Provides a globally unique means to identify a given capability. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the component or capability supports a set of controls. +type ControlImplementationSet struct { + // A description of how the specified set of controls are implemented for the containing + // component or capability. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + // definition. + Source string `json:"source" yaml:"source" xml:"source"` + // Provides a means to identify a set of control implementations that are supported by a + // given component or capability. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the containing component or capability implements an individual control. +type ImplementedRequirementElement struct { + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + // A suggestion from the supplier (e.g., component vendor or author) for how the specified + // control may be implemented if the containing component or capability is instantiated in a + // system security plan. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // Provides a globally unique means to identify a given control implementation by a + // component. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies the parameter that will be set by the enclosed value. +type SetParameterValue struct { + // A human-oriented reference to a parameter within a control, who's catalog has been + // imported into the current implementation context. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Values []string `json:"values" yaml:"values" xml:"values"` +} + +// Identifies which statements within a control are addressed. +type ControlStatementImplementation struct { + // A summary of how the containing control statement is implemented by the component or + // capability. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// The collection of components comprising this capability. +type IncorporatesComponent struct { + // A machine-oriented identifier reference to a component. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` +} + +// A defined component that can be part of an implemented system. +type ComponentDefinitionComponent struct { + ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty" yaml:"control-implementations,omitempty" xml:"control-implementations,omitempty"` + // A description of the component, including information about its function. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Protocols []ServiceProtocolInformation `json:"protocols,omitempty" yaml:"protocols,omitempty" xml:"protocols,omitempty"` + // A summary of the technological or business purpose of the component. + Purpose *string `json:"purpose,omitempty" yaml:"purpose,omitempty" xml:"purpose,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human readable name for the component. + Title string `json:"title" yaml:"title" xml:"title"` + // A category describing the purpose of the component. + Type string `json:"type" yaml:"type" xml:"type"` + // Provides a globally unique means to identify a given component. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Loads a component definition from another resource. +type ImportComponentDefinition struct { + // A link to a resource that defines a set of components and/or capabilities to import into + // this collection. + Href string `json:"href" yaml:"href" xml:"href"` +} + +// A plan of action and milestones which identifies initial and residual risks, deviations, +// and disposition, such as those required by FedRAMP. +type PlanOfActionAndMilestonesPOAM struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Findings []Finding `json:"findings,omitempty" yaml:"findings,omitempty" xml:"findings,omitempty"` + ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty" yaml:"import-ssp,omitempty" xml:"import-ssp,omitempty"` + LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty" yaml:"local-definitions,omitempty" xml:"local-definitions,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Observations []Observation `json:"observations,omitempty" yaml:"observations,omitempty" xml:"observations,omitempty"` + PoamItems []POAMItem `json:"poam-items" yaml:"poam-items" xml:"poam-items"` + Risks []IdentifiedRisk `json:"risks,omitempty" yaml:"risks,omitempty" xml:"risks,omitempty"` + SystemID *SystemIdentification `json:"system-id,omitempty" yaml:"system-id,omitempty" xml:"system-id,omitempty"` + // A machine-oriented, globally unique identifier with instancescope that can be used to + // reference this POA&M instance in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Allows components, and inventory-items to be defined within the POA&M for circumstances +// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +type PlanOfActionAndMilestonesLocalDefinitions struct { + AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty" yaml:"assessment-assets,omitempty" xml:"assessment-assets,omitempty"` + Components []AssessmentAssetsComponent `json:"components,omitempty" yaml:"components,omitempty" xml:"components,omitempty"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` +} + +// Describes an individual POA&M item. +type POAMItem struct { + // A human-readable description of POA&M item. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Origins []PoamItemOrigin `json:"origins,omitempty" yaml:"origins,omitempty" xml:"origins,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + RelatedFindings []RelatedFinding `json:"related-findings,omitempty" yaml:"related-findings,omitempty" xml:"related-findings,omitempty"` + RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty" yaml:"related-observations,omitempty" xml:"related-observations,omitempty"` + RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty" yaml:"related-risks,omitempty" xml:"related-risks,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The title or name for this POA&M item . + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with instance scope that can be used to + // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// Identifies the source of the finding, such as a tool or person. type PoamItemOrigin struct { - Actors []OriginActor `json:"actors" yaml:"actors"` + Actors []OriginatingActor `json:"actors" yaml:"actors" xml:"actors"` } +// Relates the poam-item to referenced finding(s). type RelatedFinding struct { - FindingUuid string `json:"finding-uuid" yaml:"finding-uuid"` + // A machine-oriented identifier reference to a finding defined in the list of findings. + FindingUUID string `json:"finding-uuid" yaml:"finding-uuid" xml:"finding-uuid"` } -type Characterization struct { - Facets []Facet `json:"facets" yaml:"facets"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origin Origin `json:"origin" yaml:"origin"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` +// Relates the poam-item to a set of referenced observations that were used to determine the +// finding. +type PoamItemRelatedObservation struct { + // A machine-oriented identifier reference to an observation defined in the list of + // observations. + ObservationUUID string `json:"observation-uuid" yaml:"observation-uuid" xml:"observation-uuid"` } -type MitigatingFactor struct { - Description string `json:"description" yaml:"description"` - ImplementationUuid string `json:"implementation-uuid,omitempty" yaml:"implementation-uuid,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Response struct { - Description string `json:"description" yaml:"description"` - Lifecycle string `json:"lifecycle" yaml:"lifecycle"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Origins *[]Origin `json:"origins,omitempty" yaml:"origins,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - RequiredAssets *[]RequiredAsset `json:"required-assets,omitempty" yaml:"required-assets,omitempty"` - Tasks *[]Task `json:"tasks,omitempty" yaml:"tasks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` +// Relates the finding to a set of referenced risks that were used to determine the finding. +type PoamItemRelatedRisk struct { + // A machine-oriented identifier reference to a risk defined in the list of risks. + RiskUUID string `json:"risk-uuid" yaml:"risk-uuid" xml:"risk-uuid"` } -type RiskLog struct { - Entries []RiskLogEntry `json:"entries" yaml:"entries"` +// A human-oriented, globally unique identifier with cross-instance scope that can be used +// to reference this system identification property elsewhere in this or other OSCAL +// instances. When referencing an externally defined system identification, the system +// identification must be used in the context of the external / imported OSCAL instance +// (e.g., uri-reference). This string should be assigned per-subject, which means it should +// be consistently used to identify the same system across revisions of the document. +type SystemIdentification struct { + ID string `json:"id" yaml:"id" xml:"id"` + // Identifies the identification system from which the provided identifier was assigned. + IdentifierType *string `json:"identifier-type,omitempty" yaml:"identifier-type,omitempty" xml:"identifier-type,omitempty"` } -type ThreatId struct { - Href string `json:"href,omitempty" yaml:"href,omitempty"` - ID string `json:"id" yaml:"id"` - System string `json:"system" yaml:"system"` +// Each OSCAL profile is defined by a profile element. +type Profile struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + Imports []ImportResource `json:"imports" yaml:"imports" xml:"imports"` + Merge *MergeControls `json:"merge,omitempty" yaml:"merge,omitempty" xml:"merge,omitempty"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + Modify *ModifyControls `json:"modify,omitempty" yaml:"modify,omitempty" xml:"modify,omitempty"` + // Provides a globally unique means to identify a given profile instance. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Designates a referenced source catalog or profile that provides a source of control +// information for use in creating a new overlay or baseline. +type ImportResource struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + // A resolvable URL reference to the base catalog or profile that this profile is tailoring. + Href string `json:"href" yaml:"href" xml:"href"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` +} + +// Select a control or controls from an imported control set. +type ImportExcludeControl struct { + Matching []MatchControlsByPattern `json:"matching,omitempty" yaml:"matching,omitempty" xml:"matching,omitempty"` + // When a control is included, whether its child (dependent) controls are also included. + WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty" xml:"with-child-controls,omitempty"` + WithIDS []string `json:"with-ids,omitempty" yaml:"with-ids,omitempty" xml:"with-ids,omitempty"` +} + +// Selecting a set of controls by matching their IDs with a wildcard pattern. +type MatchControlsByPattern struct { + // A glob expression matching the IDs of one or more controls to be selected. + Pattern *string `json:"pattern,omitempty" yaml:"pattern,omitempty" xml:"pattern,omitempty"` +} + +// Provides structuring directives that instruct how controls are organized after profile +// resolution. +type MergeControls struct { + // Indicates that the controls selected should retain their original grouping as defined in + // the import source. + AsIs *bool `json:"as-is,omitempty" yaml:"as-is,omitempty" xml:"as-is,omitempty"` + // A Combine element defines how to resolve duplicate instances of the same control (e.g., + // controls with the same ID). + Combine *CombinationRule `json:"combine,omitempty" yaml:"combine,omitempty" xml:"combine,omitempty"` + // Provides an alternate grouping structure that selected controls will be placed in. + Custom *CustomGrouping `json:"custom,omitempty" yaml:"custom,omitempty" xml:"custom,omitempty"` + // Directs that controls appear without any grouping structure. + Flat *FlatWithoutGrouping `json:"flat,omitempty" yaml:"flat,omitempty" xml:"flat,omitempty"` +} + +// A Combine element defines how to resolve duplicate instances of the same control (e.g., +// controls with the same ID). +type CombinationRule struct { + // Declare how clashing controls should be handled. + Method *CombinationMethod `json:"method,omitempty" yaml:"method,omitempty" xml:"method,omitempty"` } -type SelectControlById struct { - Matching *[]Matching `json:"matching,omitempty" yaml:"matching,omitempty"` - WithChildControls string `json:"with-child-controls,omitempty" yaml:"with-child-controls,omitempty"` - WithIds *[]string `json:"with-ids,omitempty" yaml:"with-ids,omitempty"` +// Provides an alternate grouping structure that selected controls will be placed in. +type CustomGrouping struct { + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` +} + +// A group of (selected) controls or of groups of controls. +type CustomGroup struct { + // A textual label that provides a sub-type or characterization of the group. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Groups []CustomGroup `json:"groups,omitempty" yaml:"groups,omitempty" xml:"groups,omitempty"` + // Identifies the group. + ID *string `json:"id,omitempty" yaml:"id,omitempty" xml:"id,omitempty"` + InsertControls []InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty" xml:"insert-controls,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name to be given to the group for use in display. + Title string `json:"title" yaml:"title" xml:"title"` +} + +// Specifies which controls to use in the containing context. +type InsertControls struct { + ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty" xml:"exclude-controls,omitempty"` + IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty" xml:"include-all,omitempty"` + IncludeControls []ImportExcludeControl `json:"include-controls,omitempty" yaml:"include-controls,omitempty" xml:"include-controls,omitempty"` + // A designation of how a selection of controls in a profile is to be ordered. + Order *Order `json:"order,omitempty" yaml:"order,omitempty" xml:"order,omitempty"` } -type CombinationRule struct { - Method string `json:"method,omitempty" yaml:"method,omitempty"` +// Directs that controls appear without any grouping structure. +type FlatWithoutGrouping struct { } -type CustomGrouping struct { - Groups *[]CustomGroupingGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` +// Set parameters or amend controls in resolution. +type ModifyControls struct { + Alters []Alteration `json:"alters,omitempty" yaml:"alters,omitempty" xml:"alters,omitempty"` + SetParameters []ParameterSetting `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` } -type FlatWithoutGrouping = map[string]interface{} - +// Specifies changes to be made to an included control when a profile is resolved. type Alteration struct { - Adds *[]Addition `json:"adds,omitempty" yaml:"adds,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Removes *[]Removal `json:"removes,omitempty" yaml:"removes,omitempty"` + Adds []Addition `json:"adds,omitempty" yaml:"adds,omitempty" xml:"adds,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Removes []Removal `json:"removes,omitempty" yaml:"removes,omitempty" xml:"removes,omitempty"` } +// Specifies contents to be added into controls, in resolution. +type Addition struct { + // Target location of the addition. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Params []Parameter `json:"params,omitempty" yaml:"params,omitempty" xml:"params,omitempty"` + Parts []PartElement `json:"parts,omitempty" yaml:"parts,omitempty" xml:"parts,omitempty"` + // Where to add the new content with respect to the targeted element (beside it or inside + // it). + Position *Position `json:"position,omitempty" yaml:"position,omitempty" xml:"position,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A name given to the control, which may be used by a tool for display and navigation. + Title *string `json:"title,omitempty" yaml:"title,omitempty" xml:"title,omitempty"` +} + +// Specifies objects to be removed from a control based on specific aspects of the object +// that must all match. +type Removal struct { + // Identify items to remove by matching their class. + ByClass *string `json:"by-class,omitempty" yaml:"by-class,omitempty" xml:"by-class,omitempty"` + // Identify items to remove indicated by their id. + ByID *string `json:"by-id,omitempty" yaml:"by-id,omitempty" xml:"by-id,omitempty"` + // Identify items to remove by the name of the item's information object name, e.g. title or + // prop. + ByItemName *ItemNameReference `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty" xml:"by-item-name,omitempty"` + // Identify items remove by matching their assigned name. + ByName *string `json:"by-name,omitempty" yaml:"by-name,omitempty" xml:"by-name,omitempty"` + // Identify items to remove by the item's ns, which is the namespace associated with a part, + // or prop. + ByNS *string `json:"by-ns,omitempty" yaml:"by-ns,omitempty" xml:"by-ns,omitempty"` +} + +// A parameter setting, to be propagated to points of insertion. type ParameterSetting struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Constraints *[]ParameterConstraint `json:"constraints,omitempty" yaml:"constraints,omitempty"` - DependsOn string `json:"depends-on,omitempty" yaml:"depends-on,omitempty"` - Guidelines *[]ParameterGuideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty"` - Label string `json:"label,omitempty" yaml:"label,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - ParamId string `json:"param-id" yaml:"param-id"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Select *ParameterSelection `json:"select,omitempty" yaml:"select,omitempty"` - Usage string `json:"usage,omitempty" yaml:"usage,omitempty"` - Values *[]string `json:"values,omitempty" yaml:"values,omitempty"` -} - -type ImplementedRequirement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - ControlId string `json:"control-id" yaml:"control-id"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]Statement `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type SetParameter struct { - ParamId string `json:"param-id" yaml:"param-id"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Values []string `json:"values" yaml:"values"` + // A textual label that provides a characterization of the parameter. + Class *string `json:"class,omitempty" yaml:"class,omitempty" xml:"class,omitempty"` + Constraints []Constraint `json:"constraints,omitempty" yaml:"constraints,omitempty" xml:"constraints,omitempty"` + // **(deprecated)** Another parameter invoking this one. This construct has been deprecated + // and should not be used. + DependsOn *string `json:"depends-on,omitempty" yaml:"depends-on,omitempty" xml:"depends-on,omitempty"` + Guidelines []Guideline `json:"guidelines,omitempty" yaml:"guidelines,omitempty" xml:"guidelines,omitempty"` + // A short, placeholder name for the parameter, which can be used as a substitute for a + // value if no value is assigned. + Label *string `json:"label,omitempty" yaml:"label,omitempty" xml:"label,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // An identifier for the parameter. + ParamID string `json:"param-id" yaml:"param-id" xml:"param-id"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Select *Selection `json:"select,omitempty" yaml:"select,omitempty" xml:"select,omitempty"` + // Describes the purpose and use of a parameter. + Usage *string `json:"usage,omitempty" yaml:"usage,omitempty" xml:"usage,omitempty"` + Values []string `json:"values,omitempty" yaml:"values,omitempty" xml:"values,omitempty"` +} + +// A system security plan, such as those described in NIST SP 800-18. +type SystemSecurityPlanSSP struct { + BackMatter *BackMatter `json:"back-matter,omitempty" yaml:"back-matter,omitempty" xml:"back-matter,omitempty"` + ControlImplementation ControlImplementationClass `json:"control-implementation" yaml:"control-implementation" xml:"control-implementation"` + ImportProfile ImportProfile `json:"import-profile" yaml:"import-profile" xml:"import-profile"` + Metadata DocumentMetadata `json:"metadata" yaml:"metadata" xml:"metadata"` + SystemCharacteristics SystemCharacteristics `json:"system-characteristics" yaml:"system-characteristics" xml:"system-characteristics"` + SystemImplementation SystemImplementation `json:"system-implementation" yaml:"system-implementation" xml:"system-implementation"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + // The locally defined UUID of the SSP can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how the system satisfies a set of controls. +type ControlImplementationClass struct { + // A statement describing important things to know about how this set of control + // satisfaction documentation is approached. + Description string `json:"description" yaml:"description" xml:"description"` + ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements" yaml:"implemented-requirements" xml:"implemented-requirements"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` +} + +// Describes how the system satisfies the requirements of an individual control. +type ControlBasedRequirement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + // A reference to a control with a corresponding id value. When referencing an externally + // defined control, the Control Identifier Reference must be used in the context of the + // external / imported OSCAL instance (e.g., uri-reference). + ControlID string `json:"control-id" yaml:"control-id" xml:"control-id"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + Statements []SpecificControlStatement `json:"statements,omitempty" yaml:"statements,omitempty" xml:"statements,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control requirement elsewhere in this or other OSCAL instances. The + // locally defined UUID of the control requirement can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Defines how the referenced component implements a set of controls. +type ComponentControlImplementation struct { + // A machine-oriented identifier reference to the component that is implemeting a given + // control. + ComponentUUID string `json:"component-uuid" yaml:"component-uuid" xml:"component-uuid"` + // An implementation statement that describes how a control or a control statement is + // implemented within the referenced system component. + Description string `json:"description" yaml:"description" xml:"description"` + // Identifies content intended for external consumption, such as with leveraged + // organizations. + Export *Export `json:"export,omitempty" yaml:"export,omitempty" xml:"export,omitempty"` + ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty" xml:"implementation-status,omitempty"` + Inherited []InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty" xml:"inherited,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty" xml:"satisfied,omitempty"` + SetParameters []SetParameterValue `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty" xml:"set-parameters,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this by-component entry elsewhere in this or other OSCAL instances. The + // locally defined UUID of the by-component entry can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies content intended for external consumption, such as with leveraged +// organizations. +type Export struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be available to another system leveraging this system. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Provided []ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty" xml:"provided,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty" xml:"responsibilities,omitempty"` +} + +// Describes a capability which may be inherited by a leveraging system. +type ProvidedControlImplementation struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that can be provided to another system leveraging this system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this provided entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the provided entry can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation responsibility imposed on a leveraging system. +type ControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of the control or control + // statement implementation that a leveraging system must implement to satisfy the control + // provided by a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this responsibility elsewhere in this or other OSCAL instances. The locally + // defined UUID of the responsibility can be used to reference the data item locally or + // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + // which means it should be consistently used to identify the same subject across revisions + // of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes a control implementation inherited by a leveraging system. +type InheritedControlImplementation struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is inheriting from a leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A machine-oriented identifier reference to an inherited control implementation that a + // leveraging system is inheriting from a leveraged system. + ProvidedUUID *string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty" xml:"provided-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + // defined UUID of the inherited control implementation can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Describes how this system satisfies a responsibility imposed by a leveraged system. +type SatisfiedControlImplementationResponsibility struct { + // An implementation statement that describes the aspects of a control or control statement + // implementation that a leveraging system is implementing based on a requirement from a + // leveraged system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented identifier reference to a control implementation that satisfies a + // responsibility imposed by a leveraged system. + ResponsibilityUUID *string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty" xml:"responsibility-uuid,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this satisfied control implementation entry elsewhere in this or other OSCAL + // instances. The locally defined UUID of the control implementation can be used to + // reference the data item locally or globally (e.g., in an imported OSCAL instance). This + // UUID should be assigned per-subject, which means it should be consistently used to + // identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Identifies which statements within a control are addressed. +type SpecificControlStatement struct { + ByComponents []ComponentControlImplementation `json:"by-components,omitempty" yaml:"by-components,omitempty" xml:"by-components,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty" xml:"responsible-roles,omitempty"` + // A human-oriented identifier reference to a control statement. + StatementID string `json:"statement-id" yaml:"statement-id" xml:"statement-id"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this control statement elsewhere in this or other OSCAL instances. The UUID + // of the control statement in the source OSCAL instance is sufficient to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Used to import the OSCAL profile representing the system's control baseline. +type ImportProfile struct { + // A resolvable URL reference to the profile or catalog to use as the system's control + // baseline. + Href string `json:"href" yaml:"href" xml:"href"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// Contains the characteristics of the system, such as its name, purpose, and security +// impact level. +type SystemCharacteristics struct { + AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary" yaml:"authorization-boundary" xml:"authorization-boundary"` + DataFlow *DataFlow `json:"data-flow,omitempty" yaml:"data-flow,omitempty" xml:"data-flow,omitempty"` + DateAuthorized *string `json:"date-authorized,omitempty" yaml:"date-authorized,omitempty" xml:"date-authorized,omitempty"` + // A summary of the system. + Description string `json:"description" yaml:"description" xml:"description"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty" yaml:"network-architecture,omitempty" xml:"network-architecture,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty" xml:"responsible-parties,omitempty"` + SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty" yaml:"security-impact-level,omitempty" xml:"security-impact-level,omitempty"` + // The overall information system sensitivity categorization, such as defined by FIPS-199. + SecuritySensitivityLevel *string `json:"security-sensitivity-level,omitempty" yaml:"security-sensitivity-level,omitempty" xml:"security-sensitivity-level,omitempty"` + Status SystemCharacteristicsStatus `json:"status" yaml:"status" xml:"status"` + SystemIDS []SystemIdentification `json:"system-ids" yaml:"system-ids" xml:"system-ids"` + SystemInformation SystemInformation `json:"system-information" yaml:"system-information" xml:"system-information"` + // The full name of the system. + SystemName string `json:"system-name" yaml:"system-name" xml:"system-name"` + // A short name for the system, such as an acronym, that is suitable for display in a data + // table or summary list. + SystemNameShort *string `json:"system-name-short,omitempty" yaml:"system-name-short,omitempty" xml:"system-name-short,omitempty"` +} + +// A description of this system's authorization boundary, optionally supplemented by +// diagrams that illustrate the authorization boundary. type AuthorizationBoundary struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's authorization boundary. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A graphic that provides a visual representation the system, or some aspect of it. +type Diagram struct { + // A brief caption to annotate the diagram. + Caption *string `json:"caption,omitempty" yaml:"caption,omitempty" xml:"caption,omitempty"` + // A summary of the diagram. + Description *string `json:"description,omitempty" yaml:"description,omitempty" xml:"description,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + // UUID of the diagram can be used to reference the data item locally or globally (e.g., in + // an imported OSCAL instance). This UUID should be assigned per-subject, which means it + // should be consistently used to identify the same subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// A description of the logical flow of information within the system and across its +// boundaries, optionally supplemented by diagrams that illustrate these flows. type DataFlow struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's data flow. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// A description of the system's network architecture, optionally supplemented by diagrams +// that illustrate the network architecture. type NetworkArchitecture struct { - Description string `json:"description" yaml:"description"` - Diagrams *[]Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` + // A summary of the system's network architecture. + Description string `json:"description" yaml:"description" xml:"description"` + Diagrams []Diagram `json:"diagrams,omitempty" yaml:"diagrams,omitempty" xml:"diagrams,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` } +// The overall level of expected impact resulting from unauthorized disclosure, +// modification, or loss of access to information. type SecurityImpactLevel struct { - SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability"` - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality"` - SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity"` -} - -type Status struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - + // A target-level of availability for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveAvailability string `json:"security-objective-availability" yaml:"security-objective-availability" xml:"security-objective-availability"` + // A target-level of confidentiality for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality" yaml:"security-objective-confidentiality" xml:"security-objective-confidentiality"` + // A target-level of integrity for the system, based on the sensitivity of information + // within the system. + SecurityObjectiveIntegrity string `json:"security-objective-integrity" yaml:"security-objective-integrity" xml:"security-objective-integrity"` +} + +// Describes the operational status of the system. +type SystemCharacteristicsStatus struct { + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // The current operating status. + State FluffyState `json:"state" yaml:"state" xml:"state"` +} + +// Contains details about all information types that are stored, processed, or transmitted +// by the system, such as privacy information, and those defined in NIST SP 800-60. type SystemInformation struct { - InformationTypes []InformationType `json:"information-types" yaml:"information-types"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` -} - -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized" yaml:"date-authorized"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type UsesComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` -} - -type SystemComponentStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type Base64 struct { - Filename string `json:"filename,omitempty" yaml:"filename,omitempty"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` - Value string `json:"value" yaml:"value"` -} - -type Citation struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Text string `json:"text" yaml:"text"` -} - -type ResourceLink struct { - Hashes *[]Hash `json:"hashes,omitempty" yaml:"hashes,omitempty"` - Href string `json:"href" yaml:"href"` - MediaType string `json:"media-type,omitempty" yaml:"media-type,omitempty"` -} - -type Step struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControls `json:"reviewed-controls,omitempty" yaml:"reviewed-controls,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ImplementedComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` -} - -type AuthorizedPrivilege struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed" yaml:"functions-performed"` - Title string `json:"title" yaml:"title"` -} - -type Address struct { - AddrLines *[]string `json:"addr-lines,omitempty" yaml:"addr-lines,omitempty"` - City string `json:"city,omitempty" yaml:"city,omitempty"` - Country string `json:"country,omitempty" yaml:"country,omitempty"` - PostalCode string `json:"postal-code,omitempty" yaml:"postal-code,omitempty"` - State string `json:"state,omitempty" yaml:"state,omitempty"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} - -type TelephoneNumber struct { - Number string `json:"number" yaml:"number"` - Type string `json:"type,omitempty" yaml:"type,omitempty"` -} - -type PartyExternalIdentifier struct { - ID string `json:"id" yaml:"id"` - Scheme string `json:"scheme" yaml:"scheme"` -} - -type SelectObjectiveById struct { - ObjectiveId string `json:"objective-id" yaml:"objective-id"` -} - -type AssessedControlsSelectControlById struct { - ControlId string `json:"control-id" yaml:"control-id"` - StatementIds *[]string `json:"statement-ids,omitempty" yaml:"statement-ids,omitempty"` -} - -type FrequencyCondition struct { - Period int `json:"period" yaml:"period"` - Unit string `json:"unit" yaml:"unit"` -} - -type OnDateCondition struct { - Date time.Time `json:"date" yaml:"date"` -} - -type OnDateRangeCondition struct { - End time.Time `json:"end" yaml:"end"` - Start time.Time `json:"start" yaml:"start"` -} - -type AssessmentLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type ConstraintTest struct { - Expression string `json:"expression" yaml:"expression"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` -} - -type ImplementedRequirementControlImplementation struct { - ControlId string `json:"control-id" yaml:"control-id"` - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - Statements *[]ControlStatementImplementation `json:"statements,omitempty" yaml:"statements,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type PortRange struct { - End int `json:"end,omitempty" yaml:"end,omitempty"` - Start int `json:"start,omitempty" yaml:"start,omitempty"` - Transport string `json:"transport,omitempty" yaml:"transport,omitempty"` -} - -type OriginActor struct { - ActorUuid string `json:"actor-uuid" yaml:"actor-uuid"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` - Type string `json:"type" yaml:"type"` -} - -type RelatedTask struct { - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty" yaml:"identified-subject,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleParties *[]ResponsibleParty `json:"responsible-parties,omitempty" yaml:"responsible-parties,omitempty"` - Subjects *[]AssessmentSubject `json:"subjects,omitempty" yaml:"subjects,omitempty"` - TaskUuid string `json:"task-uuid" yaml:"task-uuid"` -} - -type ImplementationStatus struct { - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type ObjectiveStatus struct { - Reason string `json:"reason,omitempty" yaml:"reason,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - State string `json:"state" yaml:"state"` -} - -type Facet struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Name string `json:"name" yaml:"name"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - System string `json:"system" yaml:"system"` - Value string `json:"value" yaml:"value"` -} - -type RequiredAsset struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Subjects *[]SubjectReference `json:"subjects,omitempty" yaml:"subjects,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type RiskLogEntry struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - End *time.Time `json:"end,omitempty" yaml:"end,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - LoggedBy *[]LoggedBy `json:"logged-by,omitempty" yaml:"logged-by,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedResponses *[]RiskResponseReference `json:"related-responses,omitempty" yaml:"related-responses,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Start time.Time `json:"start" yaml:"start"` - StatusChange string `json:"status-change,omitempty" yaml:"status-change,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Matching struct { - Pattern string `json:"pattern,omitempty" yaml:"pattern,omitempty"` -} - -type CustomGroupingGroup struct { - Class string `json:"class,omitempty" yaml:"class,omitempty"` - Groups *[]CustomGroupingGroup `json:"groups,omitempty" yaml:"groups,omitempty"` - ID string `json:"id,omitempty" yaml:"id,omitempty"` - InsertControls *[]InsertControls `json:"insert-controls,omitempty" yaml:"insert-controls,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` -} - -type InsertControls struct { - ExcludeControls *[]SelectControlById `json:"exclude-controls,omitempty" yaml:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty" yaml:"include-all,omitempty"` - IncludeControls *[]SelectControlById `json:"include-controls,omitempty" yaml:"include-controls,omitempty"` - Order string `json:"order,omitempty" yaml:"order,omitempty"` + InformationTypes []InformationType `json:"information-types" yaml:"information-types" xml:"information-types"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` } -type Addition struct { - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Params *[]Parameter `json:"params,omitempty" yaml:"params,omitempty"` - Parts *[]Part `json:"parts,omitempty" yaml:"parts,omitempty"` - Position string `json:"position,omitempty" yaml:"position,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title,omitempty" yaml:"title,omitempty"` -} - -type Removal struct { - ByClass string `json:"by-class,omitempty" yaml:"by-class,omitempty"` - ById string `json:"by-id,omitempty" yaml:"by-id,omitempty"` - ByItemName string `json:"by-item-name,omitempty" yaml:"by-item-name,omitempty"` - ByName string `json:"by-name,omitempty" yaml:"by-name,omitempty"` - ByNs string `json:"by-ns,omitempty" yaml:"by-ns,omitempty"` -} - -type ByComponent struct { - ComponentUuid string `json:"component-uuid" yaml:"component-uuid"` - Description string `json:"description" yaml:"description"` - Export *Export `json:"export,omitempty" yaml:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty" yaml:"implementation-status,omitempty"` - Inherited *[]InheritedControlImplementation `json:"inherited,omitempty" yaml:"inherited,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - Satisfied *[]SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty" yaml:"satisfied,omitempty"` - SetParameters *[]SetParameter `json:"set-parameters,omitempty" yaml:"set-parameters,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} - -type Statement struct { - ByComponents *[]ByComponent `json:"by-components,omitempty" yaml:"by-components,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` +// Contains details about one information type that is stored, processed, or transmitted by +// the system, such as privacy information, and those defined in NIST SP 800-60. +type InformationType struct { + AvailabilityImpact *ImpactLevel `json:"availability-impact,omitempty" yaml:"availability-impact,omitempty" xml:"availability-impact,omitempty"` + Categorizations []InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty" xml:"categorizations,omitempty"` + ConfidentialityImpact *ImpactLevel `json:"confidentiality-impact,omitempty" yaml:"confidentiality-impact,omitempty" xml:"confidentiality-impact,omitempty"` + // A summary of how this information type is used within the system. + Description string `json:"description" yaml:"description" xml:"description"` + IntegrityImpact *ImpactLevel `json:"integrity-impact,omitempty" yaml:"integrity-impact,omitempty" xml:"integrity-impact,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + // A human readable name for the information type. This title should be meaningful within + // the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope that can be used + // to reference this information type elsewhere in this or other OSCAL instances. The + // locally defined UUID of the information type can be used to reference the data item + // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + // per-subject, which means it should be consistently used to identify the same subject + // across revisions of the document. + UUID *string `json:"uuid,omitempty" yaml:"uuid,omitempty" xml:"uuid,omitempty"` +} + +// The expected level of impact resulting from the described information. +type ImpactLevel struct { + AdjustmentJustification *string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty" xml:"adjustment-justification,omitempty"` + Base string `json:"base" yaml:"base" xml:"base"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Selected *string `json:"selected,omitempty" yaml:"selected,omitempty" xml:"selected,omitempty"` +} + +// A set of information type identifiers qualified by the given identification system used, +// such as NIST SP 800-60. +type InformationTypeCategorization struct { + InformationTypeIDS []string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty" xml:"information-type-ids,omitempty"` + // Specifies the information type identification system used. + System string `json:"system" yaml:"system" xml:"system"` } -type Diagram struct { - Caption string `json:"caption,omitempty" yaml:"caption,omitempty"` - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Provides information as to how the system is implemented. +type SystemImplementation struct { + Components []AssessmentAssetsComponent `json:"components" yaml:"components" xml:"components"` + InventoryItems []InventoryItem `json:"inventory-items,omitempty" yaml:"inventory-items,omitempty" xml:"inventory-items,omitempty"` + LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty" yaml:"leveraged-authorizations,omitempty" xml:"leveraged-authorizations,omitempty"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + Users []SystemUser `json:"users" yaml:"users" xml:"users"` +} + +// A description of another authorized system from which this system inherits capabilities +// that satisfy security requirements. Another term for this concept is a common control +// provider. +type LeveragedAuthorization struct { + DateAuthorized string `json:"date-authorized" yaml:"date-authorized" xml:"date-authorized"` + Links []LinkElement `json:"links,omitempty" yaml:"links,omitempty" xml:"links,omitempty"` + // A machine-oriented identifier reference to the party that manages the leveraged system. + PartyUUID string `json:"party-uuid" yaml:"party-uuid" xml:"party-uuid"` + Props []Property `json:"props,omitempty" yaml:"props,omitempty" xml:"props,omitempty"` + Remarks *string `json:"remarks,omitempty" yaml:"remarks,omitempty" xml:"remarks,omitempty"` + // A human readable name for the leveraged authorization in the context of the system. + Title string `json:"title" yaml:"title" xml:"title"` + // A machine-oriented, globally unique identifier with cross-instance scope and can be used + // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + // locally defined UUID of the leveraged authorization can be used to reference the data + // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + // assigned per-subject, which means it should be consistently used to identify the same + // subject across revisions of the document. + UUID string `json:"uuid" yaml:"uuid" xml:"uuid"` +} + +// Indicates the transport type. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Transport string + +const ( + TCP Transport = "TCP" + UDP Transport = "UDP" +) -type InformationType struct { - AvailabilityImpact *Impact `json:"availability-impact,omitempty" yaml:"availability-impact,omitempty"` - Categorizations *[]InformationTypeCategorization `json:"categorizations,omitempty" yaml:"categorizations,omitempty"` - ConfidentialityImpact *Impact `json:"confidentiality-impact,omitempty" yaml:"confidentiality-impact,omitempty"` - Description string `json:"description" yaml:"description"` - IntegrityImpact *Impact `json:"integrity-impact,omitempty" yaml:"integrity-impact,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Title string `json:"title" yaml:"title"` - UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` -} +// The operational status. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type PurpleState string + +const ( + PurpleDisposition PurpleState = "disposition" + PurpleOperational PurpleState = "operational" + PurpleOther PurpleState = "other" + PurpleUnderDevelopment PurpleState = "under-development" +) -type Hash struct { - Algorithm string `json:"algorithm" yaml:"algorithm"` - Value string `json:"value" yaml:"value"` -} +// A category describing the kind of party the object describes. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type PartyType string + +const ( + Organization PartyType = "organization" + Person PartyType = "person" +) -type LoggedBy struct { - PartyUuid string `json:"party-uuid" yaml:"party-uuid"` - RoleId string `json:"role-id,omitempty" yaml:"role-id,omitempty"` -} +// The unit of time for the period. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type TimeUnit string + +const ( + Days TimeUnit = "days" + Hours TimeUnit = "hours" + Minutes TimeUnit = "minutes" + Months TimeUnit = "months" + Seconds TimeUnit = "seconds" + Years TimeUnit = "years" +) -type ControlStatementImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - StatementId string `json:"statement-id" yaml:"statement-id"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The kind of actor. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ActorType string + +const ( + AssessmentPlatform ActorType = "assessment-platform" + Party ActorType = "party" + Tool ActorType = "tool" +) -type IdentifiedSubject struct { - SubjectPlaceholderUuid string `json:"subject-placeholder-uuid" yaml:"subject-placeholder-uuid"` - Subjects []AssessmentSubject `json:"subjects" yaml:"subjects"` -} +// An indication as to whether the objective is satisfied or not. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ObjectiveStatusState string + +const ( + NotSatisfied ObjectiveStatusState = "not-satisfied" + Satisfied ObjectiveStatusState = "satisfied" +) -type RiskResponseReference struct { - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - RelatedTasks *[]RelatedTask `json:"related-tasks,omitempty" yaml:"related-tasks,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponseUuid string `json:"response-uuid" yaml:"response-uuid"` -} +// Identifies the type of the target. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FindingTargetType string + +const ( + ObjectiveID FindingTargetType = "objective-id" + StatementID FindingTargetType = "statement-id" +) -type Export struct { - Description string `json:"description,omitempty" yaml:"description,omitempty"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Provided *[]ProvidedControlImplementation `json:"provided,omitempty" yaml:"provided,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - Responsibilities *[]ControlImplementationResponsibility `json:"responsibilities,omitempty" yaml:"responsibilities,omitempty"` -} +// Describes the number of selections that must occur. Without this setting, only one value +// should be assumed to be permitted. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ParameterCardinality string + +const ( + One ParameterCardinality = "one" + OneOrMore ParameterCardinality = "one-or-more" +) -type InheritedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// When a control is included, whether its child (dependent) controls are also included. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type IncludeContainedControlsWithControl string + +const ( + No IncludeContainedControlsWithControl = "no" + Yes IncludeContainedControlsWithControl = "yes" +) -type SatisfiedControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibilityUuid string `json:"responsibility-uuid,omitempty" yaml:"responsibility-uuid,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Declare how clashing controls should be handled. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type CombinationMethod string + +const ( + CombinationMethodKeep CombinationMethod = "keep" + Merge CombinationMethod = "merge" + UseFirst CombinationMethod = "use-first" +) -type Impact struct { - AdjustmentJustification string `json:"adjustment-justification,omitempty" yaml:"adjustment-justification,omitempty"` - Base string `json:"base" yaml:"base"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Selected string `json:"selected,omitempty" yaml:"selected,omitempty"` -} +// A designation of how a selection of controls in a profile is to be ordered. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Order string + +const ( + Ascending Order = "ascending" + Descending Order = "descending" + OrderKeep Order = "keep" +) -type InformationTypeCategorization struct { - InformationTypeIds *[]string `json:"information-type-ids,omitempty" yaml:"information-type-ids,omitempty"` - System string `json:"system" yaml:"system"` -} +// Where to add the new content with respect to the targeted element (beside it or inside +// it). +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type Position string + +const ( + After Position = "after" + Before Position = "before" + Ending Position = "ending" + Starting Position = "starting" +) -type ProvidedControlImplementation struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// Identify items to remove by the name of the item's information object name, e.g. title or +// prop. +// +// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +// the name that will be assigned to the file when the file is decoded. +// +// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +// https://www.w3.org/TR/xmlschema11-2/#NCName. +// +// A textual label that provides a sub-type or characterization of the property's name. +// +// An identifier for relating distinct sets of properties. +// +// A textual label, within a namespace, that uniquely identifies a specific attribute, +// characteristic, or quality of the property's containing object. +// +// A textual label that provides a sub-type or characterization of the control. +// +// Identifies a control such that it can be referenced in the defining catalog and other +// OSCAL instances (e.g., profiles). +// +// A textual label that provides a characterization of the type, purpose, use or scope of +// the parameter. +// +// (deprecated) Another parameter invoking this one. This construct has been deprecated and +// should not be used. +// +// A unique identifier for the parameter. +// +// An optional textual providing a sub-type or characterization of the part's name, or a +// category to which the part belongs. +// +// A unique identifier for the part. +// +// A textual label that uniquely identifies the part's semantic type, which exists in a +// value space qualified by the ns. +// +// A textual label that provides a sub-type or characterization of the group. +// +// Identifies the group for the purpose of cross-linking within the defining instance or +// from other instances that reference the catalog. +// +// A reference to a role performed by a party. +// +// The type of action documented by the assembly, such as an approval. +// +// A unique identifier for the role. +// +// Identifies the group. +// +// Target location of the addition. +// +// A reference to a control with a corresponding id value. When referencing an externally +// defined control, the Control Identifier Reference must be used in the context of the +// external / imported OSCAL instance (e.g., uri-reference). +// +// Identify items to remove by matching their class. +// +// Identify items to remove indicated by their id. +// +// Identify items remove by matching their assigned name. +// +// Identify items to remove by the item's ns, which is the namespace associated with a part, +// or prop. +// +// A textual label that provides a characterization of the parameter. +// +// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +// and should not be used. +// +// An identifier for the parameter. +// +// A human-oriented identifier reference to a role performed. +// +// A human-oriented reference to a parameter within a control, who's catalog has been +// imported into the current implementation context. +// +// A human-oriented identifier reference to a control statement. +// +// Points to an assessment objective. +// +// Used to constrain the selection to only specificity identified statements. +// +// A textual label that provides a sub-type or characterization of the part's name. This can +// be used to further distinguish or discriminate between the semantics of multiple parts of +// the same control with the same name and ns. +// +// A point to the role-id of the role in which the party is making the log entry. +// +// For a party, this can optionally be used to specify the role the actor was performing. +// +// A machine-oriented identifier reference for a specific target qualified by the type. +// +// The name of the risk metric within the specified system. +// +// Selecting a control by its ID given as a literal. +// +// Reference to a role by UUID. +// +// Describes the type of relationship provided by the link's hypertext reference. This can +// be an indicator of the link's purpose. +// +// Indicates the type of address. +// +// Identifies the implementation status of the control or control objective. +// +// Used to indicate the type of object pointed to by the uuid-ref within a subject. +// +// Indicates the type of assessment subject, such as a component, inventory, item, location, +// or party represented by this selection statement. +// +// The type of task. +// +// A textual label that uniquely identifies the part's semantic type. +// +// The reason the objective was given it's status. +// +// Identifies the nature of the observation. More than one may be used to further qualify +// and enable filtering. +// +// Identifies whether this is a recommendation, such as from an assessor or tool, or an +// actual plan accepted by the system owner. +// +// Describes the status of the associated risk. +type ItemNameReference string + +const ( + Link ItemNameReference = "link" + Map ItemNameReference = "map" + Mapping ItemNameReference = "mapping" + Param ItemNameReference = "param" + Part ItemNameReference = "part" + Prop ItemNameReference = "prop" +) -type ControlImplementationResponsibility struct { - Description string `json:"description" yaml:"description"` - Links *[]Link `json:"links,omitempty" yaml:"links,omitempty"` - Props *[]Property `json:"props,omitempty" yaml:"props,omitempty"` - ProvidedUuid string `json:"provided-uuid,omitempty" yaml:"provided-uuid,omitempty"` - Remarks string `json:"remarks,omitempty" yaml:"remarks,omitempty"` - ResponsibleRoles *[]ResponsibleRole `json:"responsible-roles,omitempty" yaml:"responsible-roles,omitempty"` - UUID string `json:"uuid" yaml:"uuid"` -} +// The current operating status. +// +// A label that indicates the nature of a resource, as a data serialization or format. +// +// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +// U+10, U+32 or [ +// ]+ +// +// In case where the href points to a back-matter/resource, this value will indicate the URI +// fragment to append to any rlink associated with the resource. This value MUST be URI +// encoded. +// +// Indicates the value of the attribute, characteristic, or quality. +// +// A formal (executable) expression of a constraint. +// +// City, town or geographical region for the mailing address. +// +// The ISO 3166-1 alpha-2 country code for the mailing address. +// +// Postal or ZIP code for mailing address. +// +// State, province or analogous geographical region for a mailing address. +// +// The full name of the party. This is typically the legal name associated with the party. +// +// A short common name, abbreviation, or acronym for the party. +// +// A short common name, abbreviation, or acronym for the role. +// +// A glob expression matching the IDs of one or more controls to be selected. +// +// A parameter value or set of values. +// +// The capability's human-readable name. +// +// The common name of the protocol, which should be the appropriate "service name" from the +// IANA Service Name and Transport Protocol Port Number Registry. +// +// A target-level of availability for the system, based on the sensitivity of information +// within the system. +// +// A target-level of confidentiality for the system, based on the sensitivity of information +// within the system. +// +// A target-level of integrity for the system, based on the sensitivity of information +// within the system. +// +// The overall information system sensitivity categorization, such as defined by FIPS-199. +// +// A human-oriented, globally unique identifier qualified by the given identification system +// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +// reference this system elsewhere in this or other OSCAL instances. This id should be +// assigned per-subject, which means it should be consistently used to identify the same +// subject across revisions of the document. +// +// The full name of the system. +// +// A short name for the system, such as an acronym, that is suitable for display in a data +// table or summary list. +// +// A short common name, abbreviation, or acronym for the user. +// +// Indicates the value of the facet. +// +// A single line of an address. +// +// The OSCAL model version the document was authored against and will conform to as valid. +// +// Used to distinguish a specific revision of an OSCAL document from other previous and +// future versions. +// +// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +// +// The selected (Confidentiality, Integrity, or Availability) security impact level. +// +// Describes a function performed for a given authorized privilege by this user class. +// +// The digest method by which a hash is derived. +// +// Indicates the type of phone number. +// +// A category describing the purpose of the component. +// +// Identifies how the observation was made. +type FluffyState string + +const ( + FluffyDisposition FluffyState = "disposition" + FluffyOperational FluffyState = "operational" + FluffyOther FluffyState = "other" + FluffyUnderDevelopment FluffyState = "under-development" + UnderMajorModification FluffyState = "under-major-modification" +) diff --git a/src/types/quicktype/oscal-1-0-4/types.go b/src/types/quicktype/oscal-1-0-4/types.go deleted file mode 100644 index bf319650..00000000 --- a/src/types/quicktype/oscal-1-0-4/types.go +++ /dev/null @@ -1,2290 +0,0 @@ -// This file was generated from JSON Schema using quicktype, do not modify it directly. -// To parse and unparse this JSON data, add this code to your project and do: -// -// oscalModels, err := UnmarshalOscalModels(bytes) -// bytes, err = oscalModels.Marshal() - -package oscalTypes_1_0_4 - -import "time" - -import "encoding/json" - -func UnmarshalOscalModels(data []byte) (OscalModels, error) { - var r OscalModels - err := json.Unmarshal(data, &r) - return r, err -} - -func (r *OscalModels) Marshal() ([]byte, error) { - return json.Marshal(r) -} - -type OscalModels struct { - Catalog *Catalog `json:"catalog,omitempty"` - Profile *Profile `json:"profile,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` - SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` - AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` - AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` -} - -// An assessment plan, such as those provided by a FedRAMP assessor. -type SecurityAssessmentPlanSAP struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Tasks []Task `json:"tasks,omitempty"` - // Used to define various terms and conditions under which an assessment, described by the - // plan, can be performed. Each child part defines a different type of term or condition. - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment plan in this or other OSCAL instances. The locally defined - // UUID of the assessment plan can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Identifies the assets used to perform this assessment, such as the assessment team, -// scanning tools, and assumptions. -type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` -} - -// Used to represent the toolset used to perform aspects of the assessment. -type AssessmentPlatformElement struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for the assessment platform. - Title *string `json:"title,omitempty"` - UsesComponents []UsesComponent `json:"uses-components,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment platform elsewhere in this or other OSCAL instances. The - // locally defined UUID of the assessment platform can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A reference to a local or remote resource -type Link struct { - // A resolvable URL reference to a resource. - Href string `json:"href"` - // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media - // Types Registry. - MediaType *string `json:"media-type,omitempty"` - // Describes the type of relationship provided by the link. This can be an indicator of the - // link's purpose. - Rel *string `json:"rel,omitempty"` - // A textual label to associate with the link, which may be used for presentation in a tool. - Text *string `json:"text,omitempty"` -} - -// An attribute, characteristic, or quality of the containing object expressed as a -// namespace qualified name/value pair. The value of a property is a simple scalar value, -// which may be expressed as a list of values. -type Property struct { - // A textual label that provides a sub-type or characterization of the property's name. This - // can be used to further distinguish or discriminate between the semantics of multiple - // properties of the same object with the same name and ns. - Class *string `json:"class,omitempty"` - // A textual label that uniquely identifies a specific attribute, characteristic, or quality - // of the property's containing object. - Name string `json:"name"` - // A namespace qualifying the property's name. This allows different organizations to - // associate distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined property elsewhere in this or other OSCAL instances. This UUID - // should be assigned per-subject, which means it should be consistently used to identify - // the same subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` - // Indicates the value of the attribute, characteristic, or quality. - Value string `json:"value"` -} - -// The set of components that are used by the assessment platform. -type UsesComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A reference to a set of organizations or persons that have responsibility for performing -// a referenced role in the context of the containing object. -type ResponsibleParty struct { - Links []Link `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human-oriented identifier reference to roles served by the user. - RoleID string `json:"role-id"` -} - -// A defined component that can be part of an implemented system. -type AssessmentAssetsComponent struct { - // A description of the component, including information about its function. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // Describes the operational status of the system component. - Status ComponentStatus `json:"status"` - // A human readable name for the system component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component elsewhere in this or other OSCAL instances. The locally - // defined UUID of the component can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Information about the protocol used to provide a service. -type ServiceProtocolInformation struct { - // The common name of the protocol, which should be the appropriate "service name" from the - // IANA Service Name and Transport Protocol Port Number Registry. - Name string `json:"name"` - PortRanges []PortRange `json:"port-ranges,omitempty"` - // A human readable name for the protocol (e.g., Transport Layer Security). - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this service protocol information elsewhere in this or other OSCAL - // instances. The locally defined UUID of the service protocol can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Where applicable this is the IPv4 port range on which the service operates. -type PortRange struct { - // Indicates the ending port number in a port range - End *int64 `json:"end,omitempty"` - // Indicates the starting port number in a port range - Start *int64 `json:"start,omitempty"` - // Indicates the transport type. - Transport *Transport `json:"transport,omitempty"` -} - -// A reference to one or more roles with responsibility for performing a function relative -// to the containing object. -type ResponsibleRole struct { - Links []Link `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human-oriented identifier reference to roles responsible for the business function. - RoleID string `json:"role-id"` -} - -// Describes the operational status of the system component. -type ComponentStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The operational status. - State PurpleState `json:"state"` -} - -// Identifies system elements being assessed, such as components, inventory items, and -// locations. In the assessment plan, this identifies a planned assessment subject. In the -// assessment results this is an actual assessment subject, and reflects any changes from -// the plan. exactly what will be the focus of this assessment. Any subjects not identified -// in this way are out-of-scope. -type SubjectOfAssessment struct { - // A human-readable description of the collection of subjects being included in this - // assessment. - Description *string `json:"description,omitempty"` - ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Indicates the type of assessment subject, such as a component, inventory, item, location, - // or party represented by this selection statement. - Type string `json:"type"` -} - -// Identifies a set of assessment subjects to include/exclude by UUID. -type SelectAssessmentSubject struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type string `json:"type"` -} - -// Include all controls from the imported catalog or profile resources. -type IncludeAll struct { -} - -// A collection of resources, which may be included directly or by reference. -type BackMatter struct { - Resources []Resource `json:"resources,omitempty"` -} - -// A resource associated with content in the containing document. A resource may be directly -// included in the document base64 encoded or may point to one or more equivalent internet -// resources. -type Resource struct { - // The Base64 alphabet in RFC 2045 - aligned with XSD. - Base64 *Base64 `json:"base64,omitempty"` - // A citation consisting of end note text and optional structured bibliographic data. - Citation *Citation `json:"citation,omitempty"` - // A short summary of the resource used to indicate the purpose of the resource. - Description *string `json:"description,omitempty"` - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Rlinks []ResourceLink `json:"rlinks,omitempty"` - // A name given to the resource, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined resource elsewhere in this or other OSCAL instances. This UUID - // should be assigned per-subject, which means it should be consistently used to identify - // the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// The Base64 alphabet in RFC 2045 - aligned with XSD. -type Base64 struct { - // Name of the file before it was encoded as Base64 to be embedded in a resource. This is - // the name that will be assigned to the file when the file is decoded. - Filename *string `json:"filename,omitempty"` - // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media - // Types Registry. - MediaType *string `json:"media-type,omitempty"` - Value string `json:"value"` -} - -// A citation consisting of end note text and optional structured bibliographic data. -type Citation struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A line of citation text. - Text string `json:"text"` -} - -// A document identifier qualified by an identifier scheme. A document identifier provides a -// globally unique identifier with a cross-instance scope that is used for a group of -// documents that are to be treated as different versions of the same document. If this -// element does not appear, or if the value of this element is empty, the value of -// "document-id" is equal to the value of the "uuid" flag of the top-level root element. -type DocumentIdentifier struct { - Identifier string `json:"identifier"` - // Qualifies the kind of document identifier using a URI. If the scheme is not provided the - // value of the element will be interpreted as a string of characters. - Scheme *string `json:"scheme,omitempty"` -} - -// A pointer to an external resource with an optional hash for verification and change -// detection. -type ResourceLink struct { - Hashes []Hash `json:"hashes,omitempty"` - // A resolvable URI reference to a resource. - Href string `json:"href"` - // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media - // Types Registry. - MediaType *string `json:"media-type,omitempty"` -} - -// A representation of a cryptographic digest generated over a resource using a specified -// hash algorithm. -type Hash struct { - // Method by which a hash is derived - Algorithm string `json:"algorithm"` - Value string `json:"value"` -} - -// Used by the assessment plan and POA&M to import information about the system. -type ImportSystemSecurityPlan struct { - // A resolvable URL reference to the system security plan for the system being assessed. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentPlanLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Identifies an assessment or related process that can be performed. In the assessment -// plan, this is an intended activity which may be associated with an assessment task. In -// the assessment results, this an activity that was actually performed as part of an -// assessment. -type Activity struct { - // A human-readable description of this included activity. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Steps []Step `json:"steps,omitempty"` - // The title for this included activity. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment activity elsewhere in this or other OSCAL instances. The - // locally defined UUID of the activity can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies the controls being assessed and their control objectives. -type ReviewedControlsAndControlObjectives struct { - ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections"` - // A human-readable description of control objectives. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Identifies the control objectives of the assessment. In the assessment plan, these are -// the planned objectives. In the assessment results, these are the assessed objectives, and -// reflects any changes from the plan. -type ReferencedControlObjectives struct { - // A human-readable description of this collection of control objectives. - Description *string `json:"description,omitempty"` - ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control objective for inclusion/exclusion based on the control -// objective's identifier. -type SelectObjective struct { - // Points to an assessment objective. - ObjectiveID string `json:"objective-id"` -} - -// Identifies the controls being assessed. In the assessment plan, these are the planned -// controls. In the assessment results, these are the actual controls, and reflects any -// changes from the plan. -type AssessedControls struct { - // A human-readable description of in-scope controls specified for assessment. - Description *string `json:"description,omitempty"` - ExcludeControls []SelectControl `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []SelectControl `json:"include-controls,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control for inclusion/exclusion based on one or more control -// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion -// to only specific control statements providing more granularity over the specific -// statements that are within the asessment scope. -type SelectControl struct { - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - StatementIDS []string `json:"statement-ids,omitempty"` -} - -// Identifies an individual step in a series of steps related to an activity, such as an -// assessment test or examination procedure. -type Step struct { - // A human-readable description of this step. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` - // The title for this step. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this step elsewhere in this or other OSCAL instances. The locally defined - // UUID of the step (in a series of steps) can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// A single managed inventory item within the system. -type InventoryItem struct { - // A summary of the inventory item stating its purpose within the system. - Description string `json:"description"` - ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inventory item elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inventory item can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// The set of components that are implemented in a given system inventory item. -type ImplementedComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A local definition of a control objective for this assessment. Uses catalog syntax for -// control objective and assessment actions. -type AssessmentSpecificControlObjective struct { - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A human-readable description of this control objective. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Parts []Part `json:"parts"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A partition of a control's definition or a child of another part. -type Part struct { - // A textual label that provides a sub-type or characterization of the part's name. This can - // be used to further distinguish or discriminate between the semantics of multiple parts of - // the same control with the same name and ns. - Class *string `json:"class,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined part elsewhere in this or other OSCAL instances. When referenced - // from another OSCAL instance, this identifier must be referenced in the context of the - // containing resource (e.g., import-profile). This id should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - ID *string `json:"id,omitempty"` - Links []Link `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type. - Name string `json:"name"` - // A namespace qualifying the part's name. This allows different organizations to associate - // distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // A name given to the part, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` -} - -// A type of user that interacts with the system based on an associated role. -type SystemUser struct { - AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` - // A summary of the user's purpose within the system. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RoleIDS []string `json:"role-ids,omitempty"` - // A short common name, abbreviation, or acronym for the user. - ShortName *string `json:"short-name,omitempty"` - // A name given to the user, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this user class elsewhere in this or other OSCAL instances. The locally - // defined UUID of the system user can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies a specific system privilege held by the user, along with an associated -// description and/or rationale for the privilege. -type Privilege struct { - // A summary of the privilege's purpose within the system. - Description *string `json:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed"` - // A human readable name for the privilege. - Title string `json:"title"` -} - -// Provides information about the publication and availability of the containing document. -type PublicationMetadata struct { - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified"` - Links []Link `json:"links,omitempty"` - Locations []Location `json:"locations,omitempty"` - OscalVersion string `json:"oscal-version"` - Parties []PartyOrganizationOrPerson `json:"parties,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` - Roles []Role `json:"roles,omitempty"` - // A name given to the document, which may be used by a tool for display and navigation. - Title string `json:"title"` - Version string `json:"version"` -} - -// A location, with associated metadata that can be referenced. -type Location struct { - Address Address `json:"address"` - EmailAddresses []string `json:"email-addresses,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A name given to the location, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - Urls []string `json:"urls,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined location elsewhere in this or other OSCAL instances. The - // locally defined UUID of the location can be used to reference the data item locally or - // globally (e.g., from an importing OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A postal address for the location. -type Address struct { - AddrLines []string `json:"addr-lines,omitempty"` - // City, town or geographical region for the mailing address. - City *string `json:"city,omitempty"` - // The ISO 3166-1 alpha-2 country code for the mailing address. - Country *string `json:"country,omitempty"` - // Postal or ZIP code for mailing address - PostalCode *string `json:"postal-code,omitempty"` - // State, province or analogous geographical region for mailing address - State *string `json:"state,omitempty"` - // Indicates the type of address. - Type *string `json:"type,omitempty"` -} - -// Contact number by telephone. -type TelephoneNumber struct { - Number string `json:"number"` - // Indicates the type of phone number. - Type *string `json:"type,omitempty"` -} - -// A responsible entity which is either a person or an organization. -type PartyOrganizationOrPerson struct { - Addresses []Address `json:"addresses,omitempty"` - EmailAddresses []string `json:"email-addresses,omitempty"` - ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` - Links []Link `json:"links,omitempty"` - LocationUuids []string `json:"location-uuids,omitempty"` - MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` - // The full name of the party. This is typically the legal name associated with the party. - Name *string `json:"name,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the party. - ShortName *string `json:"short-name,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A category describing the kind of party the object describes. - Type PartyType `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined party elsewhere in this or other OSCAL instances. The locally - // defined UUID of the party can be used to reference the data item locally or globally - // (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// An identifier for a person or organization using a designated scheme. e.g. an Open -// Researcher and Contributor ID (ORCID) -type PartyExternalIdentifier struct { - ID string `json:"id"` - // Indicates the type of external identifier. - Scheme string `json:"scheme"` -} - -// An entry in a sequential list of revisions to the containing document in reverse -// chronological order (i.e., most recent previous revision first). -type RevisionHistoryEntry struct { - LastModified *time.Time `json:"last-modified,omitempty"` - Links []Link `json:"links,omitempty"` - OscalVersion *string `json:"oscal-version,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A name given to the document revision, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` - Version string `json:"version"` -} - -// Defines a function assumed or expected to be assumed by a party in a specific situation. -type Role struct { - // A summary of the role's purpose and associated responsibilities. - Description *string `json:"description,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined role elsewhere in this or other OSCAL instances. When referenced - // from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL - // instance must be referenced in the context of the containing resource (e.g., import, - // import-component-definition, import-profile, import-ssp or import-ap). This ID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - ID string `json:"id"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the role. - ShortName *string `json:"short-name,omitempty"` - // A name given to the role, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Represents a scheduled event or milestone, which may be associated with a series of -// assessment actions. -type Task struct { - AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` - Dependencies []TaskDependency `json:"dependencies,omitempty"` - // A human-readable description of this task. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The timing under which the task is intended to occur. - Timing *EventTiming `json:"timing,omitempty"` - // The title for this task. - Title string `json:"title"` - // The type of task. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this task elsewhere in this or other OSCAL instances. The locally defined - // UUID of the task can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual activity to be performed as part of a task. -type AssociatedActivity struct { - // A machine-oriented identifier reference to an activity defined in the list of activities. - ActivityUUID string `json:"activity-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// Used to indicate that a task is dependent on another task. -type TaskDependency struct { - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// The timing under which the task is intended to occur. -type EventTiming struct { - // The task is intended to occur at the specified frequency. - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` - // The task is intended to occur on the specified date. - OnDate *OnDateCondition `json:"on-date,omitempty"` - // The task is intended to occur within the specified date range. - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` -} - -// The task is intended to occur at the specified frequency. -type FrequencyCondition struct { - // The task must occur after the specified period has elapsed. - Period int64 `json:"period"` - // The unit of time for the period. - Unit TimeUnit `json:"unit"` -} - -// The task is intended to occur on the specified date. -type OnDateCondition struct { - // The task must occur on the specified date. - Date time.Time `json:"date"` -} - -// The task is intended to occur within the specified date range. -type OnDateRangeCondition struct { - // The task must occur on or before the specified date. - End time.Time `json:"end"` - // The task must occur on or after the specified date. - Start time.Time `json:"start"` -} - -// Used to define various terms and conditions under which an assessment, described by the -// plan, can be performed. Each child part defines a different type of term or condition. -type AssessmentPlanTermsAndConditions struct { - Parts []AssessmentPart `json:"parts,omitempty"` -} - -// A partition of an assessment plan or results or a child of another part. -type AssessmentPart struct { - // A textual label that provides a sub-type or characterization of the part's name. This can - // be used to further distinguish or discriminate between the semantics of multiple parts of - // the same control with the same name and ns. - Class *string `json:"class,omitempty"` - Links []Link `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type. - Name string `json:"name"` - // A namespace qualifying the part's name. This allows different organizations to associate - // distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []AssessmentPart `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // A name given to the part, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this part elsewhere in this or other OSCAL instances. The locally defined - // UUID of the part can be used to reference the data item locally or globally (e.g., in an - // ported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP -// Security Assessment Report. -type SecurityAssessmentResultsSAR struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportAp ImportAssessmentPlan `json:"import-ap"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Results []AssessmentResult `json:"results"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment results instance in this or other OSCAL instances. The - // locally defined UUID of the assessment result can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Used by assessment-results to import information about the original plan for assessing -// the system. -type ImportAssessmentPlan struct { - // A resolvable URL reference to the assessment plan governing the assessment activities. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentResultsLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used by the assessment results and POA&M. In the assessment results, this identifies all -// of the assessment observations and findings, initial and residual risks, deviations, and -// disposition. In the POA&M, this identifies initial and residual risks, deviations, and -// disposition. -type AssessmentResult struct { - // A log of all assessment-related actions taken. - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` - Attestations []AttestationStatements `json:"attestations,omitempty"` - // A human-readable description of this set of test results. - Description string `json:"description"` - // Date/time stamp identifying the end of the evidence collection reflected in these - // results. In a continuous motoring scenario, this may contain the same value as start if - // appropriate. - End *time.Time `json:"end,omitempty"` - Findings []Finding `json:"findings,omitempty"` - Links []Link `json:"links,omitempty"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` - Observations []Observation `json:"observations,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - // Date/time stamp identifying the start of the evidence collection reflected in these - // results. - Start time.Time `json:"start"` - // The title for this set of results. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this set of results in this or other OSCAL instances. The locally defined - // UUID of the assessment result can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all assessment-related actions taken. -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries"` -} - -// Identifies the result of an action and/or task that occurred as part of executing an -// assessment plan or an assessment event that occurred in producing the assessment results. -type AssessmentLogEntry struct { - // A human-readable description of this event. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of an event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []Link `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of an event. - Start time.Time `json:"start"` - // The title for this event. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference an assessment event in this or other OSCAL instances. The locally defined - // UUID of the assessment log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Used to indicate who created a log entry in what role. -type LoggedBy struct { - // A machine-oriented identifier reference to the party who is making the log entry. - PartyUUID string `json:"party-uuid"` - // A point to the role-id of the role in which the party is making the log entry. - RoleID *string `json:"role-id,omitempty"` -} - -// Identifies an individual task for which the containing object is a consequence of. -type TaskReference struct { - // Used to detail assessment subjects that were identfied by this task. - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// Used to detail assessment subjects that were identfied by this task. -type IdentifiedSubject struct { - // A machine-oriented identifier reference to a unique assessment subject placeholder - // defined by this task. - SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// A set of textual statements, typically written by the assessor. -type AttestationStatements struct { - Parts []AssessmentPart `json:"parts"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// Describes an individual finding. -type Finding struct { - // A human-readable description of this finding. - Description string `json:"description"` - // A machine-oriented identifier reference to the implementation statement in the SSP to - // which this finding is related. - ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` - Links []Link `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Target TargetClass `json:"target"` - // The title for this finding. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this finding in this or other OSCAL instances. The locally defined UUID of - // the finding can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies the source of the finding, such as a tool, interviewed person, or activity. -type FindingOrigin struct { - Actors []OriginatingActor `json:"actors"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` -} - -// The actor that produces an observation, a finding, or a risk. One or more actor type can -// be used to specify a person that is using a tool. -type OriginatingActor struct { - // A machine-oriented identifier reference to the tool or person based on the associated - // type. - ActorUUID string `json:"actor-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // For a party, this can optionally be used to specify the role the actor was performing. - RoleID *string `json:"role-id,omitempty"` - // The kind of actor. - Type ActorType `json:"type"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type FindingRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type FindingRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// Captures an assessor's conclusions regarding the degree to which an objective is -// satisfied. -type TargetClass struct { - // A human-readable description of the assessor's conclusions regarding the degree to which - // an objective is satisfied. - Description *string `json:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A determination of if the objective is satisfied or not within a given system. - Status StatusClass `json:"status"` - // A machine-oriented identifier reference for a specific target qualified by the type. - TargetID string `json:"target-id"` - // The title for this objective status. - Title *string `json:"title,omitempty"` - // Identifies the type of the target. - Type FindingTargetType `json:"type"` -} - -// Indicates the degree to which the a given control is implemented. -type ImplementationStatus struct { - Remarks *string `json:"remarks,omitempty"` - // Identifies the implementation status of the control or control objective. - State string `json:"state"` -} - -// A determination of if the objective is satisfied or not within a given system. -type StatusClass struct { - // The reason the objective was given it's status. - Reason *string `json:"reason,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // An indication as to whether the objective is satisfied or not. - State ObjectiveStatusState `json:"state"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type ResultLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Describes an individual observation. -type Observation struct { - // Date/time stamp identifying when the finding information was collected. - Collected time.Time `json:"collected"` - // A human-readable description of this assessment observation. - Description string `json:"description"` - // Date/time identifying when the finding information is out-of-date and no longer valid. - // Typically used with continuous assessment scenarios. - Expires *time.Time `json:"expires,omitempty"` - Links []Link `json:"links,omitempty"` - Methods []string `json:"methods"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this observation. - Title *string `json:"title,omitempty"` - Types []string `json:"types,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this observation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the observation can be used to reference the data item locally or - // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Links this observation to relevant evidence. -type RelevantEvidence struct { - // A human-readable description of this evidence. - Description string `json:"description"` - // A resolvable URL reference to relevant evidence. - Href *string `json:"href,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A human-oriented identifier reference to a resource. Use type to indicate whether the -// identified resource is a component, inventory item, location, user, or something else. -type IdentifiesTheSubject struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // The title or name for the referenced subject. - Title *string `json:"title,omitempty"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type string `json:"type"` -} - -// An identified risk. -type IdentifiedRisk struct { - Characterizations []Characterization `json:"characterizations,omitempty"` - // The date/time by which the risk must be resolved. - Deadline *time.Time `json:"deadline,omitempty"` - // A human-readable summary of the identified risk, to include a statement of how the risk - // impacts the system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` - Remediations []RiskResponse `json:"remediations,omitempty"` - // A log of all risk-related tasks taken. - RiskLog *RiskLog `json:"risk-log,omitempty"` - // An summary of impact for how the risk affects the system. - Statement string `json:"statement"` - Status string `json:"status"` - ThreatIDS []ThreatID `json:"threat-ids,omitempty"` - // The title for this risk. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk elsewhere in this or other OSCAL instances. The locally defined - // UUID of the risk can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A collection of descriptive data about the containing object from a specific origin. -type Characterization struct { - Facets []Facet `json:"facets"` - Links []Link `json:"links,omitempty"` - Origin FindingOrigin `json:"origin"` - Props []Property `json:"props,omitempty"` -} - -// An individual characteristic that is part of a larger set produced by the same actor. -type Facet struct { - Links []Link `json:"links,omitempty"` - // The name of the risk metric within the specified system. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Specifies the naming system under which this risk metric is organized, which allows for - // the same names to be used in different systems controlled by different parties. This - // avoids the potential of a name clash. - System string `json:"system"` - // Indicates the value of the facet. - Value string `json:"value"` -} - -// Describes an existing mitigating factor that may affect the overall determination of the -// risk, with an optional link to an implementation statement in the SSP. -type MitigatingFactor struct { - // A human-readable description of this mitigating factor. - Description string `json:"description"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this implementation statement elsewhere in this or other OSCAL instancess. - // The locally defined UUID of the implementation statement can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - ImplementationUUID *string `json:"implementation-uuid,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this mitigating factor elsewhere in this or other OSCAL instances. The - // locally defined UUID of the mitigating factor can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type RiskRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Describes either recommended or an actual plan for addressing the risk. -type RiskResponse struct { - // A human-readable description of this response plan. - Description string `json:"description"` - // Identifies whether this is a recommendation, such as from an assessor or tool, or an - // actual plan accepted by the system owner. - Lifecycle string `json:"lifecycle"` - Links []Link `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The title for this response activity. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this remediation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk response can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an asset required to achieve remediation. -type RequiredAsset struct { - // A human-readable description of this required asset. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this required asset. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this required asset elsewhere in this or other OSCAL instances. The locally - // defined UUID of the asset can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all risk-related tasks taken. -type RiskLog struct { - Entries []RiskLogEntry `json:"entries"` -} - -// Identifies an individual risk response that occurred as part of managing an identified -// risk. -type RiskLogEntry struct { - // A human-readable description of what was done regarding the risk. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of the event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []Link `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of the event. - Start time.Time `json:"start"` - StatusChange *string `json:"status-change,omitempty"` - // The title for this risk log entry. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual risk response that this log entry is for. -type RiskResponseReference struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique risk response. - ResponseUUID string `json:"response-uuid"` -} - -// A pointer, by ID, to an externally-defined threat. -type ThreatID struct { - // An optional location for the threat data, from which this ID originates. - Href *string `json:"href,omitempty"` - ID string `json:"id"` - // Specifies the source of the threat information. - System string `json:"system"` -} - -// A collection of controls. -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []ControlGroup `json:"groups,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Params []Parameter `json:"params,omitempty"` - // A globally unique identifier with cross-instance scope for this catalog instance. This - // UUID should be changed when this document is revised. - UUID string `json:"uuid"` -} - -// A structured information object representing a security or privacy control. Each security -// or privacy control within the Catalog is defined by a distinct control instance. -type Control struct { - // A textual label that provides a sub-type or characterization of the control. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - // A human-oriented, locally unique identifier with instance scope that can be used to - // reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This - // id should be assigned per-subject, which means it should be consistently used to identify - // the same control across revisions of the document. - ID string `json:"id"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. -type Parameter struct { - // A textual label that provides a characterization of the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // **(deprecated)** Another parameter invoking this one. This construct has been deprecated - // and should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined parameter elsewhere in this or other OSCAL instances. When - // referenced from another OSCAL instance, this identifier must be referenced in the context - // of the containing resource (e.g., import-profile). This id should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - ID string `json:"id"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A formal or informal expression of a constraint or test -type Constraint struct { - // A textual summary of the constraint to be applied. - Description *string `json:"description,omitempty"` - Tests []ConstraintTest `json:"tests,omitempty"` -} - -// A test expression which is expected to be evaluated by a tool. -type ConstraintTest struct { - // A formal (executable) expression of a constraint - Expression string `json:"expression"` - Remarks *string `json:"remarks,omitempty"` -} - -// A prose statement that provides a recommendation for the use of a parameter. -type Guideline struct { - // Prose permits multiple paragraphs, lists, tables etc. - Prose string `json:"prose"` -} - -// Presenting a choice among alternatives -type Selection struct { - Choice []string `json:"choice,omitempty"` - // Describes the number of selections that must occur. Without this setting, only one value - // should be assumed to be permitted. - HowMany *ParameterCardinality `json:"how-many,omitempty"` -} - -// A group of controls, or of groups of controls. -type ControlGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []ControlGroup `json:"groups,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined group elsewhere in in this and other OSCAL instances (e.g., - // profiles). This id should be assigned per-subject, which means it should be consistently - // used to identify the same group across revisions of the document. - ID *string `json:"id,omitempty"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the group, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// A collection of component descriptions, which may optionally be grouped by capability. -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Capabilities []Capability `json:"capabilities,omitempty"` - Components []ComponentDefinitionComponent `json:"components,omitempty"` - ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component definition elsewhere in this or other OSCAL instances. The - // locally defined UUID of the component definition can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A grouping of other components and/or capabilities. -type Capability struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A summary of the capability. - Description string `json:"description"` - IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` - Links []Link `json:"links,omitempty"` - // The capability's human-readable name. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this capability elsewhere in this or other OSCAL instances. The locally - // defined UUID of the capability can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Defines how the component or capability supports a set of controls. -type ControlImplementationSet struct { - // A description of how the specified set of controls are implemented for the containing - // component or capability. - Description string `json:"description"` - ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol - // definition. - Source string `json:"source"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference a set of implemented controls elsewhere in this or other OSCAL instances. - // The locally defined UUID of the control implementation set can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Describes how the containing component or capability implements an individual control. -type ImplementedRequirementElement struct { - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A suggestion for how the specified control may be implemented if the containing component - // or capability is instantiated in a system security plan. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []ControlStatementImplementation `json:"statements,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference a specific control implementation elsewhere in this or other OSCAL - // instances. The locally defined UUID of the control implementation can be used to - // reference the data item locally or globally (e.g., in an imported OSCAL instance).This - // UUID should be assigned per-subject, which means it should be consistently used to - // identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies the parameter that will be set by the enclosed value. -type SetParameterValue struct { - // A human-oriented reference to a parameter within a control, who's catalog has been - // imported into the current implementation context. - ParamID string `json:"param-id"` - Remarks *string `json:"remarks,omitempty"` - Values []string `json:"values"` -} - -// Identifies which statements within a control are addressed. -type ControlStatementImplementation struct { - // A summary of how the containing control statement is implemented by the component or - // capability. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// TBD -type IncorporatesComponent struct { - // A machine-oriented identifier reference to a component. - ComponentUUID string `json:"component-uuid"` - // A description of the component, including information about its function. - Description string `json:"description"` -} - -// A defined component that can be part of an implemented system. -type ComponentDefinitionComponent struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A description of the component, including information about its function. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human readable name for the component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component elsewhere in this or other OSCAL instances. The locally - // defined UUID of the component can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Loads a component definition from another resource. -type ImportComponentDefinition struct { - // A link to a resource that defines a set of components and/or capabilities to import into - // this collection. - Href string `json:"href"` -} - -// A plan of action and milestones which identifies initial and residual risks, deviations, -// and disposition, such as those required by FedRAMP. -type PlanOfActionAndMilestonesPOAM struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Observations []Observation `json:"observations,omitempty"` - PoamItems []POAMItem `json:"poam-items"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - SystemID *SystemIdentification `json:"system-id,omitempty"` - // A machine-oriented, globally unique identifier with instancescope that can be used to - // reference this POA&M instance in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Allows components, and inventory-items to be defined within the POA&M for circumstances -// where no OSCAL-based SSP exists, or is not delivered with the POA&M. -type PlanOfActionAndMilestonesLocalDefinitions struct { - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Describes an individual POA&M item. -type POAMItem struct { - // A human-readable description of POA&M item. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Origins []PoamItemOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for this POA&M item . - Title string `json:"title"` - // A machine-oriented, globally unique identifier with instance scope that can be used to - // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Identifies the source of the finding, such as a tool or person. -type PoamItemOrigin struct { - Actors []OriginatingActor `json:"actors"` -} - -// Relates the poam-item to a set of referenced observations that were used to determine the -// finding. -type PoamItemRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type PoamItemRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// A human-oriented, globally unique identifier with cross-instance scope that can be used -// to reference this system identification property elsewhere in this or other OSCAL -// instances. When referencing an externally defined system identification, the system -// identification must be used in the context of the external / imported OSCAL instance -// (e.g., uri-reference). This string should be assigned per-subject, which means it should -// be consistently used to identify the same system across revisions of the document. -type SystemIdentification struct { - ID string `json:"id"` - // Identifies the identification system from which the provided identifier was assigned. - IdentifierType *string `json:"identifier-type,omitempty"` -} - -// Each OSCAL profile is defined by a Profile element -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Imports []ImportResource `json:"imports"` - Merge *MergeControls `json:"merge,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Modify *ModifyControls `json:"modify,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this profile elsewhere in this or other OSCAL instances. The locally defined - // UUID of the profile can be used to reference the data item locally or globally (e.g., in - // an imported OSCAL instance).This identifier should be assigned per-subject, which means - // it should be consistently used to identify the same profile across revisions of the - // document. - UUID string `json:"uuid"` -} - -// The import designates a catalog or profile to be included (referenced and potentially -// modified) by this profile. The import also identifies which controls to select using the -// include-all, include-controls, and exclude-controls directives. -type ImportResource struct { - ExcludeControls []Call `json:"exclude-controls,omitempty"` - // A resolvable URL reference to the base catalog or profile that this profile is tailoring. - Href string `json:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []Call `json:"include-controls,omitempty"` -} - -// Call a control by its ID -type Call struct { - Matching []MatchControlsByPattern `json:"matching,omitempty"` - // When a control is included, whether its child (dependent) controls are also included. - WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` - WithIDS []string `json:"with-ids,omitempty"` -} - -// Select controls by (regular expression) match on ID -type MatchControlsByPattern struct { - // A glob expression matching the IDs of one or more controls to be selected. - Pattern *string `json:"pattern,omitempty"` -} - -// A Merge element provides structuring directives that drive how controls are organized -// after resolution. -type MergeControls struct { - // An As-is element indicates that the controls should be structured in resolution as they - // are structured in their source catalogs. It does not contain any elements or attributes. - AsIs *bool `json:"as-is,omitempty"` - // A Combine element defines how to combine multiple (competing) versions of the same - // control. - Combine *CombinationRule `json:"combine,omitempty"` - // A Custom element frames a structure for embedding represented controls in resolution. - Custom *CustomGrouping `json:"custom,omitempty"` - // Use the flat structuring method. - Flat *Flat `json:"flat,omitempty"` -} - -// A Combine element defines how to combine multiple (competing) versions of the same -// control. -type CombinationRule struct { - // How clashing controls should be handled - Method *CombinationMethod `json:"method,omitempty"` -} - -// A Custom element frames a structure for embedding represented controls in resolution. -type CustomGrouping struct { - Groups []CustomGroup `json:"groups,omitempty"` - InsertControls []SelectControls `json:"insert-controls,omitempty"` -} - -// A group of (selected) controls or of groups of controls -type CustomGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Groups []CustomGroup `json:"groups,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined group elsewhere in this or other OSCAL instances. When referenced - // from another OSCAL instance, this identifier must be referenced in the context of the - // containing resource (e.g., import-profile). This id should be assigned per-subject, which - // means it should be consistently used to identify the same group across revisions of the - // document. - ID *string `json:"id,omitempty"` - InsertControls []SelectControls `json:"insert-controls,omitempty"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the group, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Specifies which controls to use in the containing context. -type SelectControls struct { - ExcludeControls []Call `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []Call `json:"include-controls,omitempty"` - // A designation of how a selection of controls in a profile is to be ordered. - Order *Order `json:"order,omitempty"` -} - -// Use the flat structuring method. -type Flat struct { -} - -// Set parameters or amend controls in resolution -type ModifyControls struct { - Alters []Alteration `json:"alters,omitempty"` - SetParameters []ParameterSetting `json:"set-parameters,omitempty"` -} - -// An Alter element specifies changes to be made to an included control when a profile is -// resolved. -type Alteration struct { - Adds []Addition `json:"adds,omitempty"` - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Removes []Removal `json:"removes,omitempty"` -} - -// Specifies contents to be added into controls, in resolution -type Addition struct { - // Target location of the addition. - ByID *string `json:"by-id,omitempty"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - // Where to add the new content with respect to the targeted element (beside it or inside it) - Position *Position `json:"position,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` -} - -// Specifies objects to be removed from a control based on specific aspects of the object -// that must all match. -type Removal struct { - // Identify items to remove by matching their class. - ByClass *string `json:"by-class,omitempty"` - // Identify items to remove indicated by their id. - ByID *string `json:"by-id,omitempty"` - // Identify items to remove by the name of the item's information element name, e.g. title - // or prop - ByItemName *string `json:"by-item-name,omitempty"` - // Identify items to remove by matching their assigned name - ByName *string `json:"by-name,omitempty"` - // Identify items to remove by the item's ns, which is the namespace associated with a part, - // or prop. - ByNS *string `json:"by-ns,omitempty"` -} - -// A parameter setting, to be propagated to points of insertion -type ParameterSetting struct { - // A textual label that provides a characterization of the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // **(deprecated)** Another parameter invoking this one. This construct has been deprecated - // and should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []Link `json:"links,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined parameter elsewhere in this or other OSCAL instances. When - // referenced from another OSCAL instance, this identifier must be referenced in the context - // of the containing resource (e.g., import-profile). This id should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - ParamID string `json:"param-id"` - Props []Property `json:"props,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A system security plan, such as those described in NIST SP 800-18 -type SystemSecurityPlanSSP struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ControlImplementation ControlImplementationClass `json:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile"` - Metadata PublicationMetadata `json:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. - // The locally defined UUID of the SSP can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes how the system satisfies a set of controls. -type ControlImplementationClass struct { - // A statement describing important things to know about how this set of control - // satisfaction documentation is approached. - Description string `json:"description"` - ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` -} - -// Describes how the system satisfies the requirements of an individual control. -type ControlBasedRequirement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []SpecificControlStatement `json:"statements,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control requirement elsewhere in this or other OSCAL instances. The - // locally defined UUID of the control requirement can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Defines how the referenced component implements a set of controls. -type ComponentControlImplementation struct { - // A machine-oriented identifier reference to the component that is implemeting a given - // control. - ComponentUUID string `json:"component-uuid"` - // An implementation statement that describes how a control or a control statement is - // implemented within the referenced system component. - Description string `json:"description"` - // Identifies content intended for external consumption, such as with leveraged - // organizations. - Export *Export `json:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Inherited []InheritedControlImplementation `json:"inherited,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this by-component entry elsewhere in this or other OSCAL instances. The - // locally defined UUID of the by-component entry can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies content intended for external consumption, such as with leveraged -// organizations. -type Export struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be available to another system leveraging this system. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Provided []ProvidedControlImplementation `json:"provided,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` -} - -// Describes a capability which may be inherited by a leveraging system. -type ProvidedControlImplementation struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be provided to another system leveraging this system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this provided entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the provided entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation responsibility imposed on a leveraging system. -type ControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that a leveraging system must implement to satisfy the control - // provided by a leveraged system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this responsibility elsewhere in this or other OSCAL instances. The locally - // defined UUID of the responsibility can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation inherited by a leveraging system. -type InheritedControlImplementation struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is inheriting from a leveraged system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inherited control implementation can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Describes how this system satisfies a responsibility imposed by a leveraged system. -type SatisfiedControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is implementing based on a requirement from a - // leveraged system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a control implementation that satisfies a - // responsibility imposed by a leveraged system. - ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this satisfied control implementation entry elsewhere in this or other OSCAL - // instances. The locally defined UUID of the control implementation can be used to - // reference the data item locally or globally (e.g., in an imported OSCAL instance). This - // UUID should be assigned per-subject, which means it should be consistently used to - // identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies which statements within a control are addressed. -type SpecificControlStatement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// Used to import the OSCAL profile representing the system's control baseline. -type ImportProfile struct { - // A resolvable URL reference to the profile or catalog to use as the system's control - // baseline. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Contains the characteristics of the system, such as its name, purpose, and security -// impact level. -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty"` - DateAuthorized *string `json:"date-authorized,omitempty"` - // A summary of the system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level"` - // The overall information system sensitivity categorization, such as defined by FIPS-199. - SecuritySensitivityLevel string `json:"security-sensitivity-level"` - Status SystemCharacteristicsStatus `json:"status"` - SystemIDS []SystemIdentification `json:"system-ids"` - SystemInformation SystemInformation `json:"system-information"` - // The full name of the system. - SystemName string `json:"system-name"` - // A short name for the system, such as an acronym, that is suitable for display in a data - // table or summary list. - SystemNameShort *string `json:"system-name-short,omitempty"` -} - -// A description of this system's authorization boundary, optionally supplemented by -// diagrams that illustrate the authorization boundary. -type AuthorizationBoundary struct { - // A summary of the system's authorization boundary. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A graphic that provides a visual representation the system, or some aspect of it. -type Diagram struct { - // A brief caption to annotate the diagram. - Caption *string `json:"caption,omitempty"` - // A summary of the diagram. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined - // UUID of the diagram can be used to reference the data item locally or globally (e.g., in - // an imported OSCAL instance). This UUID should be assigned per-subject, which means it - // should be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A description of the logical flow of information within the system and across its -// boundaries, optionally supplemented by diagrams that illustrate these flows. -type DataFlow struct { - // A summary of the system's data flow. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A description of the system's network architecture, optionally supplemented by diagrams -// that illustrate the network architecture. -type NetworkArchitecture struct { - // A summary of the system's network architecture. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// The overall level of expected impact resulting from unauthorized disclosure, -// modification, or loss of access to information. -type SecurityImpactLevel struct { - // A target-level of availability for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveAvailability string `json:"security-objective-availability"` - // A target-level of confidentiality for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` - // A target-level of integrity for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveIntegrity string `json:"security-objective-integrity"` -} - -// Describes the operational status of the system. -type SystemCharacteristicsStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The current operating status. - State FluffyState `json:"state"` -} - -// Contains details about all information types that are stored, processed, or transmitted -// by the system, such as privacy information, and those defined in NIST SP 800-60. -type SystemInformation struct { - InformationTypes []InformationType `json:"information-types"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` -} - -// Contains details about one information type that is stored, processed, or transmitted by -// the system, such as privacy information, and those defined in NIST SP 800-60. -type InformationType struct { - // The expected level of impact resulting from the disruption of access to or use of the - // described information or the information system. - AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact"` - Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` - // The expected level of impact resulting from the unauthorized disclosure of the described - // information. - ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact"` - // A summary of how this information type is used within the system. - Description string `json:"description"` - // The expected level of impact resulting from the unauthorized modification of the - // described information. - IntegrityImpact IntegrityImpactLevel `json:"integrity-impact"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A human readable name for the information type. This title should be meaningful within - // the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this information type elsewhere in this or other OSCAL instances. The - // locally defined UUID of the information type can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// The expected level of impact resulting from the disruption of access to or use of the -// described information or the information system. -type AvailabilityImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// A set of information type identifiers qualified by the given identification system used, -// such as NIST SP 800-60. -type InformationTypeCategorization struct { - InformationTypeIDS []string `json:"information-type-ids,omitempty"` - // Specifies the information type identification system used. - System string `json:"system"` -} - -// The expected level of impact resulting from the unauthorized disclosure of the described -// information. -type ConfidentialityImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// The expected level of impact resulting from the unauthorized modification of the -// described information. -type IntegrityImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// Provides information as to how the system is implemented. -type SystemImplementation struct { - Components []AssessmentAssetsComponent `json:"components"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users"` -} - -// A description of another authorized system from which this system inherits capabilities -// that satisfy security requirements. Another term for this concept is a common control -// provider. -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized"` - Links []Link `json:"links,omitempty"` - // A machine-oriented identifier reference to the party that manages the leveraged system. - PartyUUID string `json:"party-uuid"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human readable name for the leveraged authorization in the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope and can be used - // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The - // locally defined UUID of the leveraged authorization can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Indicates the transport type. -type Transport string - -const ( - TCP Transport = "TCP" - UDP Transport = "UDP" -) - -// The operational status. -type PurpleState string - -const ( - PurpleDisposition PurpleState = "disposition" - PurpleOperational PurpleState = "operational" - PurpleOther PurpleState = "other" - PurpleUnderDevelopment PurpleState = "under-development" -) - -// A category describing the kind of party the object describes. -type PartyType string - -const ( - Organization PartyType = "organization" - Person PartyType = "person" -) - -// The unit of time for the period. -type TimeUnit string - -const ( - Days TimeUnit = "days" - Hours TimeUnit = "hours" - Minutes TimeUnit = "minutes" - Months TimeUnit = "months" - Seconds TimeUnit = "seconds" - Years TimeUnit = "years" -) - -// The kind of actor. -type ActorType string - -const ( - AssessmentPlatform ActorType = "assessment-platform" - Party ActorType = "party" - Tool ActorType = "tool" -) - -// An indication as to whether the objective is satisfied or not. -type ObjectiveStatusState string - -const ( - NotSatisfied ObjectiveStatusState = "not-satisfied" - Satisfied ObjectiveStatusState = "satisfied" -) - -// Identifies the type of the target. -type FindingTargetType string - -const ( - ObjectiveID FindingTargetType = "objective-id" - StatementID FindingTargetType = "statement-id" -) - -// Describes the number of selections that must occur. Without this setting, only one value -// should be assumed to be permitted. -type ParameterCardinality string - -const ( - One ParameterCardinality = "one" - OneOrMore ParameterCardinality = "one-or-more" -) - -// When a control is included, whether its child (dependent) controls are also included. -type IncludeContainedControlsWithControl string - -const ( - No IncludeContainedControlsWithControl = "no" - Yes IncludeContainedControlsWithControl = "yes" -) - -// How clashing controls should be handled -type CombinationMethod string - -const ( - CombinationMethodKeep CombinationMethod = "keep" - Merge CombinationMethod = "merge" - UseFirst CombinationMethod = "use-first" -) - -// A designation of how a selection of controls in a profile is to be ordered. -type Order string - -const ( - Ascending Order = "ascending" - Descending Order = "descending" - OrderKeep Order = "keep" -) - -// Where to add the new content with respect to the targeted element (beside it or inside it) -type Position string - -const ( - After Position = "after" - Before Position = "before" - Ending Position = "ending" - Starting Position = "starting" -) - -// The current operating status. -type FluffyState string - -const ( - FluffyDisposition FluffyState = "disposition" - FluffyOperational FluffyState = "operational" - FluffyOther FluffyState = "other" - FluffyUnderDevelopment FluffyState = "under-development" - UnderMajorModification FluffyState = "under-major-modification" -) diff --git a/src/types/quicktype/oscal-1-0-5/types.go b/src/types/quicktype/oscal-1-0-5/types.go deleted file mode 100644 index 90bea639..00000000 --- a/src/types/quicktype/oscal-1-0-5/types.go +++ /dev/null @@ -1,5258 +0,0 @@ -// This file was generated from JSON Schema using quicktype, do not modify it directly. -// To parse and unparse this JSON data, add this code to your project and do: -// -// oscalModels, err := UnmarshalOscalModels(bytes) -// bytes, err = oscalModels.Marshal() - -package oscalTypes_1_0_5 - -import "time" - -import "encoding/json" - -func UnmarshalOscalModels(data []byte) (OscalModels, error) { - var r OscalModels - err := json.Unmarshal(data, &r) - return r, err -} - -func (r *OscalModels) Marshal() ([]byte, error) { - return json.Marshal(r) -} - -type OscalModels struct { - Catalog *Catalog `json:"catalog,omitempty"` - Profile *Profile `json:"profile,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` - SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` - AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` - AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` -} - -// An assessment plan, such as those provided by a FedRAMP assessor. -type SecurityAssessmentPlanSAP struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Tasks []Task `json:"tasks,omitempty"` - // Used to define various terms and conditions under which an assessment, described by the - // plan, can be performed. Each child part defines a different type of term or condition. - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment plan in this or other OSCAL instances. The locally defined - // UUID of the assessment plan can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Identifies the assets used to perform this assessment, such as the assessment team, -// scanning tools, and assumptions. -type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` -} - -// Used to represent the toolset used to perform aspects of the assessment. -type AssessmentPlatformElement struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for the assessment platform. - Title *string `json:"title,omitempty"` - UsesComponents []UsesComponent `json:"uses-components,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment platform elsewhere in this or other OSCAL instances. The - // locally defined UUID of the assessment platform can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A reference to a local or remote resource -type Link struct { - // A resolvable URL reference to a resource. - Href string `json:"href"` - // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media - // Types Registry. - MediaType *string `json:"media-type,omitempty"` - // Describes the type of relationship provided by the link. This can be an indicator of the - // link's purpose. - Rel *Relation `json:"rel,omitempty"` - // A textual label to associate with the link, which may be used for presentation in a tool. - Text *string `json:"text,omitempty"` -} - -// An attribute, characteristic, or quality of the containing object expressed as a -// namespace qualified name/value pair. The value of a property is a simple scalar value, -// which may be expressed as a list of values. -type Property struct { - // A textual label that provides a sub-type or characterization of the property's name. This - // can be used to further distinguish or discriminate between the semantics of multiple - // properties of the same object with the same name and ns. - Class *string `json:"class,omitempty"` - // A textual label that uniquely identifies a specific attribute, characteristic, or quality - // of the property's containing object. - Name PropertyName `json:"name"` - // A namespace qualifying the property's name. This allows different organizations to - // associate distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined property elsewhere in this or other OSCAL instances. This UUID - // should be assigned per-subject, which means it should be consistently used to identify - // the same subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` - // Indicates the value of the attribute, characteristic, or quality. - Value string `json:"value"` -} - -// The set of components that are used by the assessment platform. -type UsesComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A reference to a set of organizations or persons that have responsibility for performing -// a referenced role in the context of the containing object. -type ResponsibleParty struct { - Links []Link `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human-oriented identifier reference to roles served by the user. - RoleID string `json:"role-id"` -} - -// A defined component that can be part of an implemented system. -type AssessmentAssetsComponent struct { - // A description of the component, including information about its function. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // Describes the operational status of the system component. - Status ComponentStatus `json:"status"` - // A human readable name for the system component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type PurpleComponentType `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component elsewhere in this or other OSCAL instances. The locally - // defined UUID of the component can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Information about the protocol used to provide a service. -type ServiceProtocolInformation struct { - // The common name of the protocol, which should be the appropriate "service name" from the - // IANA Service Name and Transport Protocol Port Number Registry. - Name string `json:"name"` - PortRanges []PortRange `json:"port-ranges,omitempty"` - // A human readable name for the protocol (e.g., Transport Layer Security). - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this service protocol information elsewhere in this or other OSCAL - // instances. The locally defined UUID of the service protocol can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Where applicable this is the IPv4 port range on which the service operates. -type PortRange struct { - // Indicates the ending port number in a port range - End *int64 `json:"end,omitempty"` - // Indicates the starting port number in a port range - Start *int64 `json:"start,omitempty"` - // Indicates the transport type. - Transport *Transport `json:"transport,omitempty"` -} - -// A reference to one or more roles with responsibility for performing a function relative -// to the containing object. -type ResponsibleRole struct { - Links []Link `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human-oriented identifier reference to roles responsible for the business function. - RoleID string `json:"role-id"` -} - -// Describes the operational status of the system component. -type ComponentStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The operational status. - State PurpleState `json:"state"` -} - -// Identifies system elements being assessed, such as components, inventory items, and -// locations. In the assessment plan, this identifies a planned assessment subject. In the -// assessment results this is an actual assessment subject, and reflects any changes from -// the plan. exactly what will be the focus of this assessment. Any subjects not identified -// in this way are out-of-scope. -type SubjectOfAssessment struct { - // A human-readable description of the collection of subjects being included in this - // assessment. - Description *string `json:"description,omitempty"` - ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Indicates the type of assessment subject, such as a component, inventory, item, location, - // or party represented by this selection statement. - Type SubjectType `json:"type"` -} - -// Identifies a set of assessment subjects to include/exclude by UUID. -type SelectAssessmentSubject struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type SubjectUniversallyUniqueIdentifierReferenceType `json:"type"` -} - -// Include all controls from the imported catalog or profile resources. -type IncludeAll struct { -} - -// A collection of resources, which may be included directly or by reference. -type BackMatter struct { - Resources []ResourceElement `json:"resources,omitempty"` -} - -// A resource associated with content in the containing document. A resource may be directly -// included in the document base64 encoded or may point to one or more equivalent internet -// resources. -type ResourceElement struct { - // The Base64 alphabet in RFC 2045 - aligned with XSD. - Base64 *Base64 `json:"base64,omitempty"` - // A citation consisting of end note text and optional structured bibliographic data. - Citation *Citation `json:"citation,omitempty"` - // A short summary of the resource used to indicate the purpose of the resource. - Description *string `json:"description,omitempty"` - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Rlinks []ResourceLink `json:"rlinks,omitempty"` - // A name given to the resource, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined resource elsewhere in this or other OSCAL instances. This UUID - // should be assigned per-subject, which means it should be consistently used to identify - // the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// The Base64 alphabet in RFC 2045 - aligned with XSD. -type Base64 struct { - // Name of the file before it was encoded as Base64 to be embedded in a resource. This is - // the name that will be assigned to the file when the file is decoded. - Filename *string `json:"filename,omitempty"` - // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media - // Types Registry. - MediaType *string `json:"media-type,omitempty"` - Value string `json:"value"` -} - -// A citation consisting of end note text and optional structured bibliographic data. -type Citation struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A line of citation text. - Text string `json:"text"` -} - -// A document identifier qualified by an identifier scheme. A document identifier provides a -// globally unique identifier with a cross-instance scope that is used for a group of -// documents that are to be treated as different versions of the same document. If this -// element does not appear, or if the value of this element is empty, the value of -// "document-id" is equal to the value of the "uuid" flag of the top-level root element. -type DocumentIdentifier struct { - Identifier string `json:"identifier"` - // Qualifies the kind of document identifier using a URI. If the scheme is not provided the - // value of the element will be interpreted as a string of characters. - Scheme *DocumentIdentificationScheme `json:"scheme,omitempty"` -} - -// A pointer to an external resource with an optional hash for verification and change -// detection. -type ResourceLink struct { - Hashes []Hash `json:"hashes,omitempty"` - // A resolvable URI reference to a resource. - Href string `json:"href"` - // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media - // Types Registry. - MediaType *string `json:"media-type,omitempty"` -} - -// A representation of a cryptographic digest generated over a resource using a specified -// hash algorithm. -type Hash struct { - // Method by which a hash is derived - Algorithm HashAlgorithm `json:"algorithm"` - Value string `json:"value"` -} - -// Used by the assessment plan and POA&M to import information about the system. -type ImportSystemSecurityPlan struct { - // A resolvable URL reference to the system security plan for the system being assessed. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentPlanLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Identifies an assessment or related process that can be performed. In the assessment -// plan, this is an intended activity which may be associated with an assessment task. In -// the assessment results, this an activity that was actually performed as part of an -// assessment. -type Activity struct { - // A human-readable description of this included activity. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Steps []Step `json:"steps,omitempty"` - // The title for this included activity. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment activity elsewhere in this or other OSCAL instances. The - // locally defined UUID of the activity can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies the controls being assessed and their control objectives. -type ReviewedControlsAndControlObjectives struct { - ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections"` - // A human-readable description of control objectives. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Identifies the control objectives of the assessment. In the assessment plan, these are -// the planned objectives. In the assessment results, these are the assessed objectives, and -// reflects any changes from the plan. -type ReferencedControlObjectives struct { - // A human-readable description of this collection of control objectives. - Description *string `json:"description,omitempty"` - ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control objective for inclusion/exclusion based on the control -// objective's identifier. -type SelectObjective struct { - // Points to an assessment objective. - ObjectiveID string `json:"objective-id"` -} - -// Identifies the controls being assessed. In the assessment plan, these are the planned -// controls. In the assessment results, these are the actual controls, and reflects any -// changes from the plan. -type AssessedControls struct { - // A human-readable description of in-scope controls specified for assessment. - Description *string `json:"description,omitempty"` - ExcludeControls []SelectControl `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []SelectControl `json:"include-controls,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control for inclusion/exclusion based on one or more control -// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion -// to only specific control statements providing more granularity over the specific -// statements that are within the asessment scope. -type SelectControl struct { - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - StatementIDS []string `json:"statement-ids,omitempty"` -} - -// Identifies an individual step in a series of steps related to an activity, such as an -// assessment test or examination procedure. -type Step struct { - // A human-readable description of this step. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` - // The title for this step. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this step elsewhere in this or other OSCAL instances. The locally defined - // UUID of the step (in a series of steps) can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// A single managed inventory item within the system. -type InventoryItem struct { - // A summary of the inventory item stating its purpose within the system. - Description string `json:"description"` - ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inventory item elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inventory item can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// The set of components that are implemented in a given system inventory item. -type ImplementedComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A local definition of a control objective for this assessment. Uses catalog syntax for -// control objective and assessment actions. -type AssessmentSpecificControlObjective struct { - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A human-readable description of this control objective. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Parts []Part `json:"parts"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A partition of a control's definition or a child of another part. -type Part struct { - // A textual label that provides a sub-type or characterization of the part's name. This can - // be used to further distinguish or discriminate between the semantics of multiple parts of - // the same control with the same name and ns. - Class *string `json:"class,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined part elsewhere in this or other OSCAL instances. When referenced - // from another OSCAL instance, this identifier must be referenced in the context of the - // containing resource (e.g., import-profile). This id should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - ID *string `json:"id,omitempty"` - Links []Link `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type. - Name string `json:"name"` - // A namespace qualifying the part's name. This allows different organizations to associate - // distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // A name given to the part, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` -} - -// A type of user that interacts with the system based on an associated role. -type SystemUser struct { - AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` - // A summary of the user's purpose within the system. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RoleIDS []string `json:"role-ids,omitempty"` - // A short common name, abbreviation, or acronym for the user. - ShortName *string `json:"short-name,omitempty"` - // A name given to the user, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this user class elsewhere in this or other OSCAL instances. The locally - // defined UUID of the system user can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies a specific system privilege held by the user, along with an associated -// description and/or rationale for the privilege. -type Privilege struct { - // A summary of the privilege's purpose within the system. - Description *string `json:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed"` - // A human readable name for the privilege. - Title string `json:"title"` -} - -// Provides information about the publication and availability of the containing document. -type PublicationMetadata struct { - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified"` - Links []Link `json:"links,omitempty"` - Locations []Location `json:"locations,omitempty"` - OscalVersion string `json:"oscal-version"` - Parties []PartyOrganizationOrPerson `json:"parties,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` - Roles []Role `json:"roles,omitempty"` - // A name given to the document, which may be used by a tool for display and navigation. - Title string `json:"title"` - Version string `json:"version"` -} - -// A location, with associated metadata that can be referenced. -type Location struct { - Address Address `json:"address"` - EmailAddresses []string `json:"email-addresses,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A name given to the location, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - Urls []string `json:"urls,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined location elsewhere in this or other OSCAL instances. The - // locally defined UUID of the location can be used to reference the data item locally or - // globally (e.g., from an importing OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A postal address for the location. -type Address struct { - AddrLines []string `json:"addr-lines,omitempty"` - // City, town or geographical region for the mailing address. - City *string `json:"city,omitempty"` - // The ISO 3166-1 alpha-2 country code for the mailing address. - Country *string `json:"country,omitempty"` - // Postal or ZIP code for mailing address - PostalCode *string `json:"postal-code,omitempty"` - // State, province or analogous geographical region for mailing address - State *string `json:"state,omitempty"` - // Indicates the type of address. - Type *AddressType `json:"type,omitempty"` -} - -// Contact number by telephone. -type TelephoneNumber struct { - Number string `json:"number"` - // Indicates the type of phone number. - Type *TypeFlag `json:"type,omitempty"` -} - -// A responsible entity which is either a person or an organization. -type PartyOrganizationOrPerson struct { - Addresses []Address `json:"addresses,omitempty"` - EmailAddresses []string `json:"email-addresses,omitempty"` - ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` - Links []Link `json:"links,omitempty"` - LocationUuids []string `json:"location-uuids,omitempty"` - MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` - // The full name of the party. This is typically the legal name associated with the party. - Name *string `json:"name,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the party. - ShortName *string `json:"short-name,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A category describing the kind of party the object describes. - Type PartyType `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined party elsewhere in this or other OSCAL instances. The locally - // defined UUID of the party can be used to reference the data item locally or globally - // (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// An identifier for a person or organization using a designated scheme. e.g. an Open -// Researcher and Contributor ID (ORCID) -type PartyExternalIdentifier struct { - ID string `json:"id"` - // Indicates the type of external identifier. - Scheme ExternalIdentifierSchema `json:"scheme"` -} - -// An entry in a sequential list of revisions to the containing document in reverse -// chronological order (i.e., most recent previous revision first). -type RevisionHistoryEntry struct { - LastModified *time.Time `json:"last-modified,omitempty"` - Links []Link `json:"links,omitempty"` - OscalVersion *string `json:"oscal-version,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A name given to the document revision, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` - Version string `json:"version"` -} - -// Defines a function assumed or expected to be assumed by a party in a specific situation. -type Role struct { - // A summary of the role's purpose and associated responsibilities. - Description *string `json:"description,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined role elsewhere in this or other OSCAL instances. When referenced - // from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL - // instance must be referenced in the context of the containing resource (e.g., import, - // import-component-definition, import-profile, import-ssp or import-ap). This ID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - ID string `json:"id"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the role. - ShortName *string `json:"short-name,omitempty"` - // A name given to the role, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Represents a scheduled event or milestone, which may be associated with a series of -// assessment actions. -type Task struct { - AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` - Dependencies []TaskDependency `json:"dependencies,omitempty"` - // A human-readable description of this task. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The timing under which the task is intended to occur. - Timing *EventTiming `json:"timing,omitempty"` - // The title for this task. - Title string `json:"title"` - // The type of task. - Type TaskType `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this task elsewhere in this or other OSCAL instances. The locally defined - // UUID of the task can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual activity to be performed as part of a task. -type AssociatedActivity struct { - // A machine-oriented identifier reference to an activity defined in the list of activities. - ActivityUUID string `json:"activity-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// Used to indicate that a task is dependent on another task. -type TaskDependency struct { - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// The timing under which the task is intended to occur. -type EventTiming struct { - // The task is intended to occur at the specified frequency. - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` - // The task is intended to occur on the specified date. - OnDate *OnDateCondition `json:"on-date,omitempty"` - // The task is intended to occur within the specified date range. - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` -} - -// The task is intended to occur at the specified frequency. -type FrequencyCondition struct { - // The task must occur after the specified period has elapsed. - Period int64 `json:"period"` - // The unit of time for the period. - Unit TimeUnit `json:"unit"` -} - -// The task is intended to occur on the specified date. -type OnDateCondition struct { - // The task must occur on the specified date. - Date time.Time `json:"date"` -} - -// The task is intended to occur within the specified date range. -type OnDateRangeCondition struct { - // The task must occur on or before the specified date. - End time.Time `json:"end"` - // The task must occur on or after the specified date. - Start time.Time `json:"start"` -} - -// Used to define various terms and conditions under which an assessment, described by the -// plan, can be performed. Each child part defines a different type of term or condition. -type AssessmentPlanTermsAndConditions struct { - Parts []AssessmentPart `json:"parts,omitempty"` -} - -// A partition of an assessment plan or results or a child of another part. -type AssessmentPart struct { - // A textual label that provides a sub-type or characterization of the part's name. This can - // be used to further distinguish or discriminate between the semantics of multiple parts of - // the same control with the same name and ns. - Class *string `json:"class,omitempty"` - Links []Link `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type. - Name PartName `json:"name"` - // A namespace qualifying the part's name. This allows different organizations to associate - // distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []AssessmentPart `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // A name given to the part, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this part elsewhere in this or other OSCAL instances. The locally defined - // UUID of the part can be used to reference the data item locally or globally (e.g., in an - // ported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP -// Security Assessment Report. -type SecurityAssessmentResultsSAR struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportAp ImportAssessmentPlan `json:"import-ap"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Results []AssessmentResult `json:"results"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment results instance in this or other OSCAL instances. The - // locally defined UUID of the assessment result can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Used by assessment-results to import information about the original plan for assessing -// the system. -type ImportAssessmentPlan struct { - // A resolvable URL reference to the assessment plan governing the assessment activities. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentResultsLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used by the assessment results and POA&M. In the assessment results, this identifies all -// of the assessment observations and findings, initial and residual risks, deviations, and -// disposition. In the POA&M, this identifies initial and residual risks, deviations, and -// disposition. -type AssessmentResult struct { - // A log of all assessment-related actions taken. - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` - Attestations []AttestationStatements `json:"attestations,omitempty"` - // A human-readable description of this set of test results. - Description string `json:"description"` - // Date/time stamp identifying the end of the evidence collection reflected in these - // results. In a continuous motoring scenario, this may contain the same value as start if - // appropriate. - End *time.Time `json:"end,omitempty"` - Findings []FindingElement `json:"findings,omitempty"` - Links []Link `json:"links,omitempty"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` - Observations []Observation `json:"observations,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - // Date/time stamp identifying the start of the evidence collection reflected in these - // results. - Start time.Time `json:"start"` - // The title for this set of results. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this set of results in this or other OSCAL instances. The locally defined - // UUID of the assessment result can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all assessment-related actions taken. -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries"` -} - -// Identifies the result of an action and/or task that occurred as part of executing an -// assessment plan or an assessment event that occurred in producing the assessment results. -type AssessmentLogEntry struct { - // A human-readable description of this event. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of an event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []Link `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of an event. - Start time.Time `json:"start"` - // The title for this event. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference an assessment event in this or other OSCAL instances. The locally defined - // UUID of the assessment log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Used to indicate who created a log entry in what role. -type LoggedBy struct { - // A machine-oriented identifier reference to the party who is making the log entry. - PartyUUID string `json:"party-uuid"` - // A point to the role-id of the role in which the party is making the log entry. - RoleID *string `json:"role-id,omitempty"` -} - -// Identifies an individual task for which the containing object is a consequence of. -type TaskReference struct { - // Used to detail assessment subjects that were identfied by this task. - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// Used to detail assessment subjects that were identfied by this task. -type IdentifiedSubject struct { - // A machine-oriented identifier reference to a unique assessment subject placeholder - // defined by this task. - SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// A set of textual statements, typically written by the assessor. -type AttestationStatements struct { - Parts []AssessmentPart `json:"parts"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// Describes an individual finding. -type FindingElement struct { - // A human-readable description of this finding. - Description string `json:"description"` - // A machine-oriented identifier reference to the implementation statement in the SSP to - // which this finding is related. - ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` - Links []Link `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Target TargetClass `json:"target"` - // The title for this finding. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this finding in this or other OSCAL instances. The locally defined UUID of - // the finding can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies the source of the finding, such as a tool, interviewed person, or activity. -type FindingOrigin struct { - Actors []OriginatingActor `json:"actors"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` -} - -// The actor that produces an observation, a finding, or a risk. One or more actor type can -// be used to specify a person that is using a tool. -type OriginatingActor struct { - // A machine-oriented identifier reference to the tool or person based on the associated - // type. - ActorUUID string `json:"actor-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // For a party, this can optionally be used to specify the role the actor was performing. - RoleID *string `json:"role-id,omitempty"` - // The kind of actor. - Type ActorType `json:"type"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type FindingRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type FindingRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// Captures an assessor's conclusions regarding the degree to which an objective is -// satisfied. -type TargetClass struct { - // A human-readable description of the assessor's conclusions regarding the degree to which - // an objective is satisfied. - Description *string `json:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A determination of if the objective is satisfied or not within a given system. - Status StatusClass `json:"status"` - // A machine-oriented identifier reference for a specific target qualified by the type. - TargetID string `json:"target-id"` - // The title for this objective status. - Title *string `json:"title,omitempty"` - // Identifies the type of the target. - Type FindingTargetType `json:"type"` -} - -// Indicates the degree to which the a given control is implemented. -type ImplementationStatus struct { - Remarks *string `json:"remarks,omitempty"` - // Identifies the implementation status of the control or control objective. - State ImplementationState `json:"state"` -} - -// A determination of if the objective is satisfied or not within a given system. -type StatusClass struct { - // The reason the objective was given it's status. - Reason *ObjectiveStatusReason `json:"reason,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // An indication as to whether the objective is satisfied or not. - State ObjectiveStatusState `json:"state"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type ResultLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Describes an individual observation. -type Observation struct { - // Date/time stamp identifying when the finding information was collected. - Collected time.Time `json:"collected"` - // A human-readable description of this assessment observation. - Description string `json:"description"` - // Date/time identifying when the finding information is out-of-date and no longer valid. - // Typically used with continuous assessment scenarios. - Expires *time.Time `json:"expires,omitempty"` - Links []Link `json:"links,omitempty"` - Methods []ObservationMethod `json:"methods"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this observation. - Title *string `json:"title,omitempty"` - Types []ObservationType `json:"types,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this observation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the observation can be used to reference the data item locally or - // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Links this observation to relevant evidence. -type RelevantEvidence struct { - // A human-readable description of this evidence. - Description string `json:"description"` - // A resolvable URL reference to relevant evidence. - Href *string `json:"href,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A human-oriented identifier reference to a resource. Use type to indicate whether the -// identified resource is a component, inventory item, location, user, or something else. -type IdentifiesTheSubject struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // The title or name for the referenced subject. - Title *string `json:"title,omitempty"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type SubjectUniversallyUniqueIdentifierReferenceType `json:"type"` -} - -// An identified risk. -type IdentifiedRisk struct { - Characterizations []Characterization `json:"characterizations,omitempty"` - // The date/time by which the risk must be resolved. - Deadline *time.Time `json:"deadline,omitempty"` - // A human-readable summary of the identified risk, to include a statement of how the risk - // impacts the system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` - Remediations []RiskResponse `json:"remediations,omitempty"` - // A log of all risk-related tasks taken. - RiskLog *RiskLog `json:"risk-log,omitempty"` - // An summary of impact for how the risk affects the system. - Statement string `json:"statement"` - Status RiskStatus `json:"status"` - ThreatIDS []ThreatID `json:"threat-ids,omitempty"` - // The title for this risk. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk elsewhere in this or other OSCAL instances. The locally defined - // UUID of the risk can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A collection of descriptive data about the containing object from a specific origin. -type Characterization struct { - Facets []Facet `json:"facets"` - Links []Link `json:"links,omitempty"` - Origin FindingOrigin `json:"origin"` - Props []Property `json:"props,omitempty"` -} - -// An individual characteristic that is part of a larger set produced by the same actor. -type Facet struct { - Links []Link `json:"links,omitempty"` - // The name of the risk metric within the specified system. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Specifies the naming system under which this risk metric is organized, which allows for - // the same names to be used in different systems controlled by different parties. This - // avoids the potential of a name clash. - System NamingSystem `json:"system"` - // Indicates the value of the facet. - Value string `json:"value"` -} - -// Describes an existing mitigating factor that may affect the overall determination of the -// risk, with an optional link to an implementation statement in the SSP. -type MitigatingFactor struct { - // A human-readable description of this mitigating factor. - Description string `json:"description"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this implementation statement elsewhere in this or other OSCAL instancess. - // The locally defined UUID of the implementation statement can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - ImplementationUUID *string `json:"implementation-uuid,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this mitigating factor elsewhere in this or other OSCAL instances. The - // locally defined UUID of the mitigating factor can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type RiskRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Describes either recommended or an actual plan for addressing the risk. -type RiskResponse struct { - // A human-readable description of this response plan. - Description string `json:"description"` - // Identifies whether this is a recommendation, such as from an assessor or tool, or an - // actual plan accepted by the system owner. - Lifecycle RemediationIntent `json:"lifecycle"` - Links []Link `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The title for this response activity. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this remediation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk response can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an asset required to achieve remediation. -type RequiredAsset struct { - // A human-readable description of this required asset. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this required asset. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this required asset elsewhere in this or other OSCAL instances. The locally - // defined UUID of the asset can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all risk-related tasks taken. -type RiskLog struct { - Entries []RiskLogEntry `json:"entries"` -} - -// Identifies an individual risk response that occurred as part of managing an identified -// risk. -type RiskLogEntry struct { - // A human-readable description of what was done regarding the risk. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of the event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []Link `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of the event. - Start time.Time `json:"start"` - StatusChange *RiskStatus `json:"status-change,omitempty"` - // The title for this risk log entry. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual risk response that this log entry is for. -type RiskResponseReference struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique risk response. - ResponseUUID string `json:"response-uuid"` -} - -// A pointer, by ID, to an externally-defined threat. -type ThreatID struct { - // An optional location for the threat data, from which this ID originates. - Href *string `json:"href,omitempty"` - ID string `json:"id"` - // Specifies the source of the threat information. - System ThreatTypeIdentificationSystem `json:"system"` -} - -// A collection of controls. -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []ControlGroup `json:"groups,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Params []Parameter `json:"params,omitempty"` - // A globally unique identifier with cross-instance scope for this catalog instance. This - // UUID should be changed when this document is revised. - UUID string `json:"uuid"` -} - -// A structured information object representing a security or privacy control. Each security -// or privacy control within the Catalog is defined by a distinct control instance. -type Control struct { - // A textual label that provides a sub-type or characterization of the control. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - // A human-oriented, locally unique identifier with instance scope that can be used to - // reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This - // id should be assigned per-subject, which means it should be consistently used to identify - // the same control across revisions of the document. - ID string `json:"id"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. -type Parameter struct { - // A textual label that provides a characterization of the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // **(deprecated)** Another parameter invoking this one. This construct has been deprecated - // and should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined parameter elsewhere in this or other OSCAL instances. When - // referenced from another OSCAL instance, this identifier must be referenced in the context - // of the containing resource (e.g., import-profile). This id should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - ID string `json:"id"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A formal or informal expression of a constraint or test -type Constraint struct { - // A textual summary of the constraint to be applied. - Description *string `json:"description,omitempty"` - Tests []ConstraintTest `json:"tests,omitempty"` -} - -// A test expression which is expected to be evaluated by a tool. -type ConstraintTest struct { - // A formal (executable) expression of a constraint - Expression string `json:"expression"` - Remarks *string `json:"remarks,omitempty"` -} - -// A prose statement that provides a recommendation for the use of a parameter. -type Guideline struct { - // Prose permits multiple paragraphs, lists, tables etc. - Prose string `json:"prose"` -} - -// Presenting a choice among alternatives -type Selection struct { - Choice []string `json:"choice,omitempty"` - // Describes the number of selections that must occur. Without this setting, only one value - // should be assumed to be permitted. - HowMany *ParameterCardinality `json:"how-many,omitempty"` -} - -// A group of controls, or of groups of controls. -type ControlGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []ControlGroup `json:"groups,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined group elsewhere in in this and other OSCAL instances (e.g., - // profiles). This id should be assigned per-subject, which means it should be consistently - // used to identify the same group across revisions of the document. - ID *string `json:"id,omitempty"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the group, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// A collection of component descriptions, which may optionally be grouped by capability. -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Capabilities []Capability `json:"capabilities,omitempty"` - Components []ComponentDefinitionComponent `json:"components,omitempty"` - ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component definition elsewhere in this or other OSCAL instances. The - // locally defined UUID of the component definition can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A grouping of other components and/or capabilities. -type Capability struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A summary of the capability. - Description string `json:"description"` - IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` - Links []Link `json:"links,omitempty"` - // The capability's human-readable name. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this capability elsewhere in this or other OSCAL instances. The locally - // defined UUID of the capability can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Defines how the component or capability supports a set of controls. -type ControlImplementationSet struct { - // A description of how the specified set of controls are implemented for the containing - // component or capability. - Description string `json:"description"` - ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol - // definition. - Source string `json:"source"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference a set of implemented controls elsewhere in this or other OSCAL instances. - // The locally defined UUID of the control implementation set can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Describes how the containing component or capability implements an individual control. -type ImplementedRequirementElement struct { - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A suggestion for how the specified control may be implemented if the containing component - // or capability is instantiated in a system security plan. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []ControlStatementImplementation `json:"statements,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference a specific control implementation elsewhere in this or other OSCAL - // instances. The locally defined UUID of the control implementation can be used to - // reference the data item locally or globally (e.g., in an imported OSCAL instance).This - // UUID should be assigned per-subject, which means it should be consistently used to - // identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies the parameter that will be set by the enclosed value. -type SetParameterValue struct { - // A human-oriented reference to a parameter within a control, who's catalog has been - // imported into the current implementation context. - ParamID string `json:"param-id"` - Remarks *string `json:"remarks,omitempty"` - Values []string `json:"values"` -} - -// Identifies which statements within a control are addressed. -type ControlStatementImplementation struct { - // A summary of how the containing control statement is implemented by the component or - // capability. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// TBD -type IncorporatesComponent struct { - // A machine-oriented identifier reference to a component. - ComponentUUID string `json:"component-uuid"` - // A description of the component, including information about its function. - Description string `json:"description"` -} - -// A defined component that can be part of an implemented system. -type ComponentDefinitionComponent struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A description of the component, including information about its function. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human readable name for the component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type FluffyComponentType `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component elsewhere in this or other OSCAL instances. The locally - // defined UUID of the component can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Loads a component definition from another resource. -type ImportComponentDefinition struct { - // A link to a resource that defines a set of components and/or capabilities to import into - // this collection. - Href string `json:"href"` -} - -// A plan of action and milestones which identifies initial and residual risks, deviations, -// and disposition, such as those required by FedRAMP. -type PlanOfActionAndMilestonesPOAM struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Observations []Observation `json:"observations,omitempty"` - PoamItems []POAMItem `json:"poam-items"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - SystemID *SystemIdentification `json:"system-id,omitempty"` - // A machine-oriented, globally unique identifier with instancescope that can be used to - // reference this POA&M instance in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Allows components, and inventory-items to be defined within the POA&M for circumstances -// where no OSCAL-based SSP exists, or is not delivered with the POA&M. -type PlanOfActionAndMilestonesLocalDefinitions struct { - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Describes an individual POA&M item. -type POAMItem struct { - // A human-readable description of POA&M item. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Origins []PoamItemOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for this POA&M item . - Title string `json:"title"` - // A machine-oriented, globally unique identifier with instance scope that can be used to - // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Identifies the source of the finding, such as a tool or person. -type PoamItemOrigin struct { - Actors []OriginatingActor `json:"actors"` -} - -// Relates the poam-item to a set of referenced observations that were used to determine the -// finding. -type PoamItemRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type PoamItemRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// A human-oriented, globally unique identifier with cross-instance scope that can be used -// to reference this system identification property elsewhere in this or other OSCAL -// instances. When referencing an externally defined system identification, the system -// identification must be used in the context of the external / imported OSCAL instance -// (e.g., uri-reference). This string should be assigned per-subject, which means it should -// be consistently used to identify the same system across revisions of the document. -type SystemIdentification struct { - ID string `json:"id"` - // Identifies the identification system from which the provided identifier was assigned. - IdentifierType *IdentificationSystemType `json:"identifier-type,omitempty"` -} - -// Each OSCAL profile is defined by a Profile element -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Imports []ImportResource `json:"imports"` - Merge *MergeControls `json:"merge,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Modify *ModifyControls `json:"modify,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this profile elsewhere in this or other OSCAL instances. The locally defined - // UUID of the profile can be used to reference the data item locally or globally (e.g., in - // an imported OSCAL instance).This identifier should be assigned per-subject, which means - // it should be consistently used to identify the same profile across revisions of the - // document. - UUID string `json:"uuid"` -} - -// The import designates a catalog or profile to be included (referenced and potentially -// modified) by this profile. The import also identifies which controls to select using the -// include-all, include-controls, and exclude-controls directives. -type ImportResource struct { - ExcludeControls []Call `json:"exclude-controls,omitempty"` - // A resolvable URL reference to the base catalog or profile that this profile is tailoring. - Href string `json:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []Call `json:"include-controls,omitempty"` -} - -// Call a control by its ID -type Call struct { - Matching []MatchControlsByPattern `json:"matching,omitempty"` - // When a control is included, whether its child (dependent) controls are also included. - WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` - WithIDS []string `json:"with-ids,omitempty"` -} - -// Select controls by (regular expression) match on ID -type MatchControlsByPattern struct { - // A glob expression matching the IDs of one or more controls to be selected. - Pattern *string `json:"pattern,omitempty"` -} - -// A Merge element provides structuring directives that drive how controls are organized -// after resolution. -type MergeControls struct { - // An As-is element indicates that the controls should be structured in resolution as they - // are structured in their source catalogs. It does not contain any elements or attributes. - AsIs *bool `json:"as-is,omitempty"` - // A Combine element defines how to combine multiple (competing) versions of the same - // control. - Combine *CombinationRule `json:"combine,omitempty"` - // A Custom element frames a structure for embedding represented controls in resolution. - Custom *CustomGrouping `json:"custom,omitempty"` - // Use the flat structuring method. - Flat *Flat `json:"flat,omitempty"` -} - -// A Combine element defines how to combine multiple (competing) versions of the same -// control. -type CombinationRule struct { - // How clashing controls should be handled - Method *CombinationMethod `json:"method,omitempty"` -} - -// A Custom element frames a structure for embedding represented controls in resolution. -type CustomGrouping struct { - Groups []CustomGroup `json:"groups,omitempty"` - InsertControls []SelectControls `json:"insert-controls,omitempty"` -} - -// A group of (selected) controls or of groups of controls -type CustomGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Groups []CustomGroup `json:"groups,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined group elsewhere in this or other OSCAL instances. When referenced - // from another OSCAL instance, this identifier must be referenced in the context of the - // containing resource (e.g., import-profile). This id should be assigned per-subject, which - // means it should be consistently used to identify the same group across revisions of the - // document. - ID *string `json:"id,omitempty"` - InsertControls []SelectControls `json:"insert-controls,omitempty"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the group, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Specifies which controls to use in the containing context. -type SelectControls struct { - ExcludeControls []Call `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []Call `json:"include-controls,omitempty"` - // A designation of how a selection of controls in a profile is to be ordered. - Order *Order `json:"order,omitempty"` -} - -// Use the flat structuring method. -type Flat struct { -} - -// Set parameters or amend controls in resolution -type ModifyControls struct { - Alters []Alteration `json:"alters,omitempty"` - SetParameters []ParameterSetting `json:"set-parameters,omitempty"` -} - -// An Alter element specifies changes to be made to an included control when a profile is -// resolved. -type Alteration struct { - Adds []Addition `json:"adds,omitempty"` - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Removes []Removal `json:"removes,omitempty"` -} - -// Specifies contents to be added into controls, in resolution -type Addition struct { - // Target location of the addition. - ByID *string `json:"by-id,omitempty"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - // Where to add the new content with respect to the targeted element (beside it or inside it) - Position *Position `json:"position,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` -} - -// Specifies objects to be removed from a control based on specific aspects of the object -// that must all match. -type Removal struct { - // Identify items to remove by matching their class. - ByClass *string `json:"by-class,omitempty"` - // Identify items to remove indicated by their id. - ByID *string `json:"by-id,omitempty"` - // Identify items to remove by the name of the item's information element name, e.g. title - // or prop - ByItemName *string `json:"by-item-name,omitempty"` - // Identify items to remove by matching their assigned name - ByName *string `json:"by-name,omitempty"` - // Identify items to remove by the item's ns, which is the namespace associated with a part, - // or prop. - ByNS *string `json:"by-ns,omitempty"` -} - -// A parameter setting, to be propagated to points of insertion -type ParameterSetting struct { - // A textual label that provides a characterization of the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // **(deprecated)** Another parameter invoking this one. This construct has been deprecated - // and should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []Link `json:"links,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined parameter elsewhere in this or other OSCAL instances. When - // referenced from another OSCAL instance, this identifier must be referenced in the context - // of the containing resource (e.g., import-profile). This id should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - ParamID string `json:"param-id"` - Props []Property `json:"props,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A system security plan, such as those described in NIST SP 800-18 -type SystemSecurityPlanSSP struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ControlImplementation ControlImplementationClass `json:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile"` - Metadata PublicationMetadata `json:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. - // The locally defined UUID of the SSP can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes how the system satisfies a set of controls. -type ControlImplementationClass struct { - // A statement describing important things to know about how this set of control - // satisfaction documentation is approached. - Description string `json:"description"` - ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` -} - -// Describes how the system satisfies the requirements of an individual control. -type ControlBasedRequirement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []SpecificControlStatement `json:"statements,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control requirement elsewhere in this or other OSCAL instances. The - // locally defined UUID of the control requirement can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Defines how the referenced component implements a set of controls. -type ComponentControlImplementation struct { - // A machine-oriented identifier reference to the component that is implemeting a given - // control. - ComponentUUID string `json:"component-uuid"` - // An implementation statement that describes how a control or a control statement is - // implemented within the referenced system component. - Description string `json:"description"` - // Identifies content intended for external consumption, such as with leveraged - // organizations. - Export *Export `json:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Inherited []InheritedControlImplementation `json:"inherited,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this by-component entry elsewhere in this or other OSCAL instances. The - // locally defined UUID of the by-component entry can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies content intended for external consumption, such as with leveraged -// organizations. -type Export struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be available to another system leveraging this system. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Provided []ProvidedControlImplementation `json:"provided,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` -} - -// Describes a capability which may be inherited by a leveraging system. -type ProvidedControlImplementation struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be provided to another system leveraging this system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this provided entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the provided entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation responsibility imposed on a leveraging system. -type ControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that a leveraging system must implement to satisfy the control - // provided by a leveraged system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this responsibility elsewhere in this or other OSCAL instances. The locally - // defined UUID of the responsibility can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation inherited by a leveraging system. -type InheritedControlImplementation struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is inheriting from a leveraged system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inherited control implementation can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Describes how this system satisfies a responsibility imposed by a leveraged system. -type SatisfiedControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is implementing based on a requirement from a - // leveraged system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a control implementation that satisfies a - // responsibility imposed by a leveraged system. - ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this satisfied control implementation entry elsewhere in this or other OSCAL - // instances. The locally defined UUID of the control implementation can be used to - // reference the data item locally or globally (e.g., in an imported OSCAL instance). This - // UUID should be assigned per-subject, which means it should be consistently used to - // identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies which statements within a control are addressed. -type SpecificControlStatement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// Used to import the OSCAL profile representing the system's control baseline. -type ImportProfile struct { - // A resolvable URL reference to the profile or catalog to use as the system's control - // baseline. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Contains the characteristics of the system, such as its name, purpose, and security -// impact level. -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty"` - DateAuthorized *string `json:"date-authorized,omitempty"` - // A summary of the system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level"` - // The overall information system sensitivity categorization, such as defined by FIPS-199. - SecuritySensitivityLevel string `json:"security-sensitivity-level"` - Status SystemCharacteristicsStatus `json:"status"` - SystemIDS []SystemIdentification `json:"system-ids"` - SystemInformation SystemInformation `json:"system-information"` - // The full name of the system. - SystemName string `json:"system-name"` - // A short name for the system, such as an acronym, that is suitable for display in a data - // table or summary list. - SystemNameShort *string `json:"system-name-short,omitempty"` -} - -// A description of this system's authorization boundary, optionally supplemented by -// diagrams that illustrate the authorization boundary. -type AuthorizationBoundary struct { - // A summary of the system's authorization boundary. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A graphic that provides a visual representation the system, or some aspect of it. -type Diagram struct { - // A brief caption to annotate the diagram. - Caption *string `json:"caption,omitempty"` - // A summary of the diagram. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined - // UUID of the diagram can be used to reference the data item locally or globally (e.g., in - // an imported OSCAL instance). This UUID should be assigned per-subject, which means it - // should be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A description of the logical flow of information within the system and across its -// boundaries, optionally supplemented by diagrams that illustrate these flows. -type DataFlow struct { - // A summary of the system's data flow. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A description of the system's network architecture, optionally supplemented by diagrams -// that illustrate the network architecture. -type NetworkArchitecture struct { - // A summary of the system's network architecture. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// The overall level of expected impact resulting from unauthorized disclosure, -// modification, or loss of access to information. -type SecurityImpactLevel struct { - // A target-level of availability for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveAvailability string `json:"security-objective-availability"` - // A target-level of confidentiality for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` - // A target-level of integrity for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveIntegrity string `json:"security-objective-integrity"` -} - -// Describes the operational status of the system. -type SystemCharacteristicsStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The current operating status. - State FluffyState `json:"state"` -} - -// Contains details about all information types that are stored, processed, or transmitted -// by the system, such as privacy information, and those defined in NIST SP 800-60. -type SystemInformation struct { - InformationTypes []InformationType `json:"information-types"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` -} - -// Contains details about one information type that is stored, processed, or transmitted by -// the system, such as privacy information, and those defined in NIST SP 800-60. -type InformationType struct { - // The expected level of impact resulting from the disruption of access to or use of the - // described information or the information system. - AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact"` - Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` - // The expected level of impact resulting from the unauthorized disclosure of the described - // information. - ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact"` - // A summary of how this information type is used within the system. - Description string `json:"description"` - // The expected level of impact resulting from the unauthorized modification of the - // described information. - IntegrityImpact IntegrityImpactLevel `json:"integrity-impact"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A human readable name for the information type. This title should be meaningful within - // the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this information type elsewhere in this or other OSCAL instances. The - // locally defined UUID of the information type can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// The expected level of impact resulting from the disruption of access to or use of the -// described information or the information system. -type AvailabilityImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// A set of information type identifiers qualified by the given identification system used, -// such as NIST SP 800-60. -type InformationTypeCategorization struct { - InformationTypeIDS []string `json:"information-type-ids,omitempty"` - // Specifies the information type identification system used. - System InformationTypeIdentificationSystem `json:"system"` -} - -// The expected level of impact resulting from the unauthorized disclosure of the described -// information. -type ConfidentialityImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// The expected level of impact resulting from the unauthorized modification of the -// described information. -type IntegrityImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// Provides information as to how the system is implemented. -type SystemImplementation struct { - Components []AssessmentAssetsComponent `json:"components"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users"` -} - -// A description of another authorized system from which this system inherits capabilities -// that satisfy security requirements. Another term for this concept is a common control -// provider. -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized"` - Links []Link `json:"links,omitempty"` - // A machine-oriented identifier reference to the party that manages the leveraged system. - PartyUUID string `json:"party-uuid"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human readable name for the leveraged authorization in the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope and can be used - // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The - // locally defined UUID of the leveraged authorization can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Describes the type of relationship provided by the link. This can be an indicator of the -// link's purpose. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type Relation string - -const ( - Reference Relation = "reference" -) - -// A textual label that uniquely identifies a specific attribute, characteristic, or quality -// of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type PropertyName string - -const ( - Marking PropertyName = "marking" -) - -// Indicates the transport type. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type Transport string - -const ( - TCP Transport = "TCP" - UDP Transport = "UDP" -) - -// The operational status. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type PurpleState string - -const ( - PurpleDisposition PurpleState = "disposition" - PurpleOperational PurpleState = "operational" - PurpleOther PurpleState = "other" - PurpleUnderDevelopment PurpleState = "under-development" -) - -// A category describing the purpose of the component. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -type PurpleComponentType string - -const ( - Network PurpleComponentType = "network" - PurpleGuidance PurpleComponentType = "guidance" - PurpleHardware PurpleComponentType = "hardware" - PurpleInterconnection PurpleComponentType = "interconnection" - PurplePhysical PurpleComponentType = "physical" - PurplePlan PurpleComponentType = "plan" - PurplePolicy PurpleComponentType = "policy" - PurpleProcessProcedure PurpleComponentType = "process-procedure" - PurpleService PurpleComponentType = "service" - PurpleSoftware PurpleComponentType = "software" - PurpleStandard PurpleComponentType = "standard" - PurpleValidation PurpleComponentType = "validation" - System PurpleComponentType = "system" - ThisSystem PurpleComponentType = "this-system" -) - -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type SubjectUniversallyUniqueIdentifierReferenceType string - -const ( - Resource SubjectUniversallyUniqueIdentifierReferenceType = "resource" - SubjectUniversallyUniqueIdentifierReferenceTypeComponent SubjectUniversallyUniqueIdentifierReferenceType = "component" - SubjectUniversallyUniqueIdentifierReferenceTypeInventoryItem SubjectUniversallyUniqueIdentifierReferenceType = "inventory-item" - SubjectUniversallyUniqueIdentifierReferenceTypeLocation SubjectUniversallyUniqueIdentifierReferenceType = "location" - SubjectUniversallyUniqueIdentifierReferenceTypeParty SubjectUniversallyUniqueIdentifierReferenceType = "party" - SubjectUniversallyUniqueIdentifierReferenceTypeUser SubjectUniversallyUniqueIdentifierReferenceType = "user" -) - -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type SubjectType string - -const ( - SubjectTypeComponent SubjectType = "component" - SubjectTypeInventoryItem SubjectType = "inventory-item" - SubjectTypeLocation SubjectType = "location" - SubjectTypeParty SubjectType = "party" - SubjectTypeUser SubjectType = "user" -) - -// Qualifies the kind of document identifier using a URI. If the scheme is not provided the -// value of the element will be interpreted as a string of characters. -// -// A namespace qualifying the property's name. This allows different organizations to -// associate distinct semantics with the same name. -// -// A namespace qualifying the part's name. This allows different organizations to associate -// distinct semantics with the same name. -// -// The uniform resource locator (URL) for a web site or Internet presence associated with -// the location. -type DocumentIdentificationScheme string - -const ( - HTTPWWWDoiOrg DocumentIdentificationScheme = "http://www.doi.org/" -) - -// Method by which a hash is derived -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -type HashAlgorithm string - -const ( - SHA224 HashAlgorithm = "SHA-224" - SHA256 HashAlgorithm = "SHA-256" - SHA384 HashAlgorithm = "SHA-384" - SHA512 HashAlgorithm = "SHA-512" - Sha3224 HashAlgorithm = "SHA3-224" - Sha3256 HashAlgorithm = "SHA3-256" - Sha3384 HashAlgorithm = "SHA3-384" - Sha3512 HashAlgorithm = "SHA3-512" -) - -// Indicates the type of address. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type AddressType string - -const ( - AddressTypeHome AddressType = "home" - Work AddressType = "work" -) - -// Indicates the type of phone number. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -type TypeFlag string - -const ( - Mobile TypeFlag = "mobile" - Office TypeFlag = "office" - TypeFlagHome TypeFlag = "home" -) - -// Indicates the type of external identifier. -// -// A namespace qualifying the property's name. This allows different organizations to -// associate distinct semantics with the same name. -// -// A namespace qualifying the part's name. This allows different organizations to associate -// distinct semantics with the same name. -// -// The uniform resource locator (URL) for a web site or Internet presence associated with -// the location. -type ExternalIdentifierSchema string - -const ( - HTTPOrcidOrg ExternalIdentifierSchema = "http://orcid.org/" -) - -// A category describing the kind of party the object describes. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -type PartyType string - -const ( - Organization PartyType = "organization" - Person PartyType = "person" -) - -// The unit of time for the period. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -type TimeUnit string - -const ( - Days TimeUnit = "days" - Hours TimeUnit = "hours" - Minutes TimeUnit = "minutes" - Months TimeUnit = "months" - Seconds TimeUnit = "seconds" - Years TimeUnit = "years" -) - -// The type of task. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type TaskType string - -const ( - Action TaskType = "action" - Milestone TaskType = "milestone" -) - -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type PartName string - -const ( - Asset PartName = "asset" - Method PartName = "method" - Objective PartName = "objective" -) - -// The kind of actor. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type ActorType string - -const ( - ActorTypeParty ActorType = "party" - AssessmentPlatform ActorType = "assessment-platform" - Tool ActorType = "tool" -) - -// Identifies the implementation status of the control or control objective. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type ImplementationState string - -const ( - Alternative ImplementationState = "alternative" - ImplementationStatePlanned ImplementationState = "planned" - Implemented ImplementationState = "implemented" - NotApplicable ImplementationState = "not-applicable" - Partial ImplementationState = "partial" -) - -// The reason the objective was given it's status. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type ObjectiveStatusReason string - -const ( - Fail ObjectiveStatusReason = "fail" - ObjectiveStatusReasonOther ObjectiveStatusReason = "other" - Pass ObjectiveStatusReason = "pass" -) - -// An indication as to whether the objective is satisfied or not. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type ObjectiveStatusState string - -const ( - NotSatisfied ObjectiveStatusState = "not-satisfied" - Satisfied ObjectiveStatusState = "satisfied" -) - -// Identifies the type of the target. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -type FindingTargetType string - -const ( - ObjectiveID FindingTargetType = "objective-id" - StatementID FindingTargetType = "statement-id" -) - -// Identifies how the observation was made. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -type ObservationMethod string - -const ( - Examine ObservationMethod = "EXAMINE" - Interview ObservationMethod = "INTERVIEW" - Test ObservationMethod = "TEST" - Unknown ObservationMethod = "UNKNOWN" -) - -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type ObservationType string - -const ( - ControlObjective ObservationType = "control-objective" - Finding ObservationType = "finding" - Historic ObservationType = "historic" - Mitigation ObservationType = "mitigation" - SSPStatementIssue ObservationType = "ssp-statement-issue" -) - -// Specifies the naming system under which this risk metric is organized, which allows for -// the same names to be used in different systems controlled by different parties. This -// avoids the potential of a name clash. -// -// A namespace qualifying the property's name. This allows different organizations to -// associate distinct semantics with the same name. -// -// A namespace qualifying the part's name. This allows different organizations to associate -// distinct semantics with the same name. -// -// The uniform resource locator (URL) for a web site or Internet presence associated with -// the location. -type NamingSystem string - -const ( - HTTPCsrcNISTGovNSOscal NamingSystem = "http://csrc.nist.gov/ns/oscal" - HTTPCsrcNISTGovNSOscalUnknown NamingSystem = "http://csrc.nist.gov/ns/oscal/unknown" - HTTPCveMitreOrg NamingSystem = "http://cve.mitre.org" - HTTPWWWFirstOrgCvssV20 NamingSystem = "http://www.first.org/cvss/v2.0" - HTTPWWWFirstOrgCvssV30 NamingSystem = "http://www.first.org/cvss/v3.0" - HTTPWWWFirstOrgCvssV31 NamingSystem = "http://www.first.org/cvss/v3.1" - NamingSystemHTTPFedrampGov NamingSystem = "http://fedramp.gov" - NamingSystemHTTPFedrampGovNSOscal NamingSystem = "http://fedramp.gov/ns/oscal" -) - -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type RemediationIntent string - -const ( - Completed RemediationIntent = "completed" - Recommendation RemediationIntent = "recommendation" - RemediationIntentPlanned RemediationIntent = "planned" -) - -// Describes the status of the associated risk. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type RiskStatus string - -const ( - Closed RiskStatus = "closed" - DeviationApproved RiskStatus = "deviation-approved" - DeviationRequested RiskStatus = "deviation-requested" - Investigating RiskStatus = "investigating" - Open RiskStatus = "open" - Remediating RiskStatus = "remediating" -) - -// Specifies the source of the threat information. -// -// A namespace qualifying the property's name. This allows different organizations to -// associate distinct semantics with the same name. -// -// A namespace qualifying the part's name. This allows different organizations to associate -// distinct semantics with the same name. -// -// The uniform resource locator (URL) for a web site or Internet presence associated with -// the location. -type ThreatTypeIdentificationSystem string - -const ( - ThreatTypeIdentificationSystemHTTPFedrampGov ThreatTypeIdentificationSystem = "http://fedramp.gov" - ThreatTypeIdentificationSystemHTTPFedrampGovNSOscal ThreatTypeIdentificationSystem = "http://fedramp.gov/ns/oscal" -) - -// Describes the number of selections that must occur. Without this setting, only one value -// should be assumed to be permitted. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type ParameterCardinality string - -const ( - One ParameterCardinality = "one" - OneOrMore ParameterCardinality = "one-or-more" -) - -// A category describing the purpose of the component. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -type FluffyComponentType string - -const ( - FluffyGuidance FluffyComponentType = "guidance" - FluffyHardware FluffyComponentType = "hardware" - FluffyInterconnection FluffyComponentType = "interconnection" - FluffyPhysical FluffyComponentType = "physical" - FluffyPlan FluffyComponentType = "plan" - FluffyPolicy FluffyComponentType = "policy" - FluffyProcessProcedure FluffyComponentType = "process-procedure" - FluffyService FluffyComponentType = "service" - FluffySoftware FluffyComponentType = "software" - FluffyStandard FluffyComponentType = "standard" - FluffyValidation FluffyComponentType = "validation" -) - -// Identifies the identification system from which the provided identifier was assigned. -// -// A namespace qualifying the property's name. This allows different organizations to -// associate distinct semantics with the same name. -// -// A namespace qualifying the part's name. This allows different organizations to associate -// distinct semantics with the same name. -// -// The uniform resource locator (URL) for a web site or Internet presence associated with -// the location. -type IdentificationSystemType string - -const ( - HTTPIETFOrgRFCRfc4122 IdentificationSystemType = "http://ietf.org/rfc/rfc4122" - HTTPSFedrampGov IdentificationSystemType = "https://fedramp.gov" - HTTPSIETFOrgRFCRfc4122 IdentificationSystemType = "https://ietf.org/rfc/rfc4122" - IdentificationSystemTypeHTTPFedrampGovNSOscal IdentificationSystemType = "http://fedramp.gov/ns/oscal" -) - -// When a control is included, whether its child (dependent) controls are also included. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type IncludeContainedControlsWithControl string - -const ( - No IncludeContainedControlsWithControl = "no" - Yes IncludeContainedControlsWithControl = "yes" -) - -// How clashing controls should be handled -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -type CombinationMethod string - -const ( - CombinationMethodKeep CombinationMethod = "keep" - Merge CombinationMethod = "merge" - UseFirst CombinationMethod = "use-first" -) - -// A designation of how a selection of controls in a profile is to be ordered. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type Order string - -const ( - Ascending Order = "ascending" - Descending Order = "descending" - OrderKeep Order = "keep" -) - -// Where to add the new content with respect to the targeted element (beside it or inside -// it) -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -type Position string - -const ( - After Position = "after" - Before Position = "before" - Ending Position = "ending" - Starting Position = "starting" -) - -// The current operating status. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -type FluffyState string - -const ( - FluffyDisposition FluffyState = "disposition" - FluffyOperational FluffyState = "operational" - FluffyOther FluffyState = "other" - FluffyUnderDevelopment FluffyState = "under-development" - UnderMajorModification FluffyState = "under-major-modification" -) - -// Specifies the information type identification system used. -// -// A namespace qualifying the property's name. This allows different organizations to -// associate distinct semantics with the same name. -// -// A namespace qualifying the part's name. This allows different organizations to associate -// distinct semantics with the same name. -// -// The uniform resource locator (URL) for a web site or Internet presence associated with -// the location. -type InformationTypeIdentificationSystem string - -const ( - HTTPDoiOrg106028NISTSP80060V2R1 InformationTypeIdentificationSystem = "http://doi.org/10.6028/NIST.SP.800-60v2r1" -) diff --git a/src/types/quicktype/oscal-1-0-6/types.go b/src/types/quicktype/oscal-1-0-6/types.go deleted file mode 100644 index 56f76756..00000000 --- a/src/types/quicktype/oscal-1-0-6/types.go +++ /dev/null @@ -1,3729 +0,0 @@ -// This file was generated from JSON Schema using quicktype, do not modify it directly. -// To parse and unparse this JSON data, add this code to your project and do: -// -// oscalModels, err := UnmarshalOscalModels(bytes) -// bytes, err = oscalModels.Marshal() - -package oscalTypes_1_0_6 - -import "time" - -import "encoding/json" - -func UnmarshalOscalModels(data []byte) (OscalModels, error) { - var r OscalModels - err := json.Unmarshal(data, &r) - return r, err -} - -func (r *OscalModels) Marshal() ([]byte, error) { - return json.Marshal(r) -} - -type OscalModels struct { - Schema *string `json:"$schema,omitempty"` - Catalog *Catalog `json:"catalog,omitempty"` - Profile *Profile `json:"profile,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` - SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` - AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` - AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` -} - -// An assessment plan, such as those provided by a FedRAMP assessor. -type SecurityAssessmentPlanSAP struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Tasks []Task `json:"tasks,omitempty"` - // Used to define various terms and conditions under which an assessment, described by the - // plan, can be performed. Each child part defines a different type of term or condition. - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment plan in this or other OSCAL instances. The locally defined - // UUID of the assessment plan can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Identifies the assets used to perform this assessment, such as the assessment team, -// scanning tools, and assumptions. -type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` -} - -// Used to represent the toolset used to perform aspects of the assessment. -type AssessmentPlatformElement struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for the assessment platform. - Title *string `json:"title,omitempty"` - UsesComponents []UsesComponent `json:"uses-components,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment platform elsewhere in this or other OSCAL instances. The - // locally defined UUID of the assessment platform can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A reference to a local or remote resource -type Link struct { - // A resolvable URL reference to a resource. - Href string `json:"href"` - // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media - // Types Registry. - MediaType *string `json:"media-type,omitempty"` - // Describes the type of relationship provided by the link. This can be an indicator of the - // link's purpose. - Rel *string `json:"rel,omitempty"` - // A textual label to associate with the link, which may be used for presentation in a tool. - Text *string `json:"text,omitempty"` -} - -// An attribute, characteristic, or quality of the containing object expressed as a -// namespace qualified name/value pair. The value of a property is a simple scalar value, -// which may be expressed as a list of values. -type Property struct { - // A textual label that provides a sub-type or characterization of the property's name. This - // can be used to further distinguish or discriminate between the semantics of multiple - // properties of the same object with the same name and ns. - Class *string `json:"class,omitempty"` - // A textual label that uniquely identifies a specific attribute, characteristic, or quality - // of the property's containing object. - Name string `json:"name"` - // A namespace qualifying the property's name. This allows different organizations to - // associate distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined property elsewhere in this or other OSCAL instances. This UUID - // should be assigned per-subject, which means it should be consistently used to identify - // the same subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` - // Indicates the value of the attribute, characteristic, or quality. - Value string `json:"value"` -} - -// The set of components that are used by the assessment platform. -type UsesComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A reference to a set of organizations or persons that have responsibility for performing -// a referenced role in the context of the containing object. -type ResponsibleParty struct { - Links []Link `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human-oriented identifier reference to roles served by the user. - RoleID string `json:"role-id"` -} - -// A defined component that can be part of an implemented system. -type AssessmentAssetsComponent struct { - // A description of the component, including information about its function. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // Describes the operational status of the system component. - Status ComponentStatus `json:"status"` - // A human readable name for the system component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component elsewhere in this or other OSCAL instances. The locally - // defined UUID of the component can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Information about the protocol used to provide a service. -type ServiceProtocolInformation struct { - // The common name of the protocol, which should be the appropriate "service name" from the - // IANA Service Name and Transport Protocol Port Number Registry. - Name string `json:"name"` - PortRanges []PortRange `json:"port-ranges,omitempty"` - // A human readable name for the protocol (e.g., Transport Layer Security). - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this service protocol information elsewhere in this or other OSCAL - // instances. The locally defined UUID of the service protocol can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Where applicable this is the IPv4 port range on which the service operates. -type PortRange struct { - // Indicates the ending port number in a port range - End *int64 `json:"end,omitempty"` - // Indicates the starting port number in a port range - Start *int64 `json:"start,omitempty"` - // Indicates the transport type. - Transport *Transport `json:"transport,omitempty"` -} - -// A reference to one or more roles with responsibility for performing a function relative -// to the containing object. -type ResponsibleRole struct { - Links []Link `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human-oriented identifier reference to roles responsible for the business function. - RoleID string `json:"role-id"` -} - -// Describes the operational status of the system component. -type ComponentStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The operational status. - State PurpleState `json:"state"` -} - -// Identifies system elements being assessed, such as components, inventory items, and -// locations. In the assessment plan, this identifies a planned assessment subject. In the -// assessment results this is an actual assessment subject, and reflects any changes from -// the plan. exactly what will be the focus of this assessment. Any subjects not identified -// in this way are out-of-scope. -type SubjectOfAssessment struct { - // A human-readable description of the collection of subjects being included in this - // assessment. - Description *string `json:"description,omitempty"` - ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Indicates the type of assessment subject, such as a component, inventory, item, location, - // or party represented by this selection statement. - Type string `json:"type"` -} - -// Identifies a set of assessment subjects to include/exclude by UUID. -type SelectAssessmentSubject struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type string `json:"type"` -} - -// Include all controls from the imported catalog or profile resources. -type IncludeAll struct { -} - -// A collection of resources, which may be included directly or by reference. -type BackMatter struct { - Resources []Resource `json:"resources,omitempty"` -} - -// A resource associated with content in the containing document. A resource may be directly -// included in the document base64 encoded or may point to one or more equivalent internet -// resources. -type Resource struct { - // The Base64 alphabet in RFC 2045 - aligned with XSD. - Base64 *Base64 `json:"base64,omitempty"` - // A citation consisting of end note text and optional structured bibliographic data. - Citation *Citation `json:"citation,omitempty"` - // A short summary of the resource used to indicate the purpose of the resource. - Description *string `json:"description,omitempty"` - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Rlinks []ResourceLink `json:"rlinks,omitempty"` - // A name given to the resource, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined resource elsewhere in this or other OSCAL instances. This UUID - // should be assigned per-subject, which means it should be consistently used to identify - // the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// The Base64 alphabet in RFC 2045 - aligned with XSD. -type Base64 struct { - // Name of the file before it was encoded as Base64 to be embedded in a resource. This is - // the name that will be assigned to the file when the file is decoded. - Filename *string `json:"filename,omitempty"` - // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media - // Types Registry. - MediaType *string `json:"media-type,omitempty"` - Value string `json:"value"` -} - -// A citation consisting of end note text and optional structured bibliographic data. -type Citation struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A line of citation text. - Text string `json:"text"` -} - -// A document identifier qualified by an identifier scheme. A document identifier provides a -// globally unique identifier with a cross-instance scope that is used for a group of -// documents that are to be treated as different versions of the same document. If this -// element does not appear, or if the value of this element is empty, the value of -// "document-id" is equal to the value of the "uuid" flag of the top-level root element. -type DocumentIdentifier struct { - Identifier string `json:"identifier"` - // Qualifies the kind of document identifier using a URI. If the scheme is not provided the - // value of the element will be interpreted as a string of characters. - Scheme *string `json:"scheme,omitempty"` -} - -// A pointer to an external resource with an optional hash for verification and change -// detection. -type ResourceLink struct { - Hashes []Hash `json:"hashes,omitempty"` - // A resolvable URI reference to a resource. - Href string `json:"href"` - // Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media - // Types Registry. - MediaType *string `json:"media-type,omitempty"` -} - -// A representation of a cryptographic digest generated over a resource using a specified -// hash algorithm. -type Hash struct { - // Method by which a hash is derived - Algorithm string `json:"algorithm"` - Value string `json:"value"` -} - -// Used by the assessment plan and POA&M to import information about the system. -type ImportSystemSecurityPlan struct { - // A resolvable URL reference to the system security plan for the system being assessed. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentPlanLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Identifies an assessment or related process that can be performed. In the assessment -// plan, this is an intended activity which may be associated with an assessment task. In -// the assessment results, this an activity that was actually performed as part of an -// assessment. -type Activity struct { - // A human-readable description of this included activity. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Steps []Step `json:"steps,omitempty"` - // The title for this included activity. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment activity elsewhere in this or other OSCAL instances. The - // locally defined UUID of the activity can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies the controls being assessed and their control objectives. -type ReviewedControlsAndControlObjectives struct { - ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections"` - // A human-readable description of control objectives. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Identifies the control objectives of the assessment. In the assessment plan, these are -// the planned objectives. In the assessment results, these are the assessed objectives, and -// reflects any changes from the plan. -type ReferencedControlObjectives struct { - // A human-readable description of this collection of control objectives. - Description *string `json:"description,omitempty"` - ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control objective for inclusion/exclusion based on the control -// objective's identifier. -type SelectObjective struct { - // Points to an assessment objective. - ObjectiveID string `json:"objective-id"` -} - -// Identifies the controls being assessed. In the assessment plan, these are the planned -// controls. In the assessment results, these are the actual controls, and reflects any -// changes from the plan. -type AssessedControls struct { - // A human-readable description of in-scope controls specified for assessment. - Description *string `json:"description,omitempty"` - ExcludeControls []SelectControl `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []SelectControl `json:"include-controls,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control for inclusion/exclusion based on one or more control -// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion -// to only specific control statements providing more granularity over the specific -// statements that are within the asessment scope. -type SelectControl struct { - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - StatementIDS []string `json:"statement-ids,omitempty"` -} - -// Identifies an individual step in a series of steps related to an activity, such as an -// assessment test or examination procedure. -type Step struct { - // A human-readable description of this step. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` - // The title for this step. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this step elsewhere in this or other OSCAL instances. The locally defined - // UUID of the step (in a series of steps) can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// A single managed inventory item within the system. -type InventoryItem struct { - // A summary of the inventory item stating its purpose within the system. - Description string `json:"description"` - ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inventory item elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inventory item can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// The set of components that are implemented in a given system inventory item. -type ImplementedComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A local definition of a control objective for this assessment. Uses catalog syntax for -// control objective and assessment actions. -type AssessmentSpecificControlObjective struct { - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A human-readable description of this control objective. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Parts []Part `json:"parts"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A partition of a control's definition or a child of another part. -type Part struct { - // A textual label that provides a sub-type or characterization of the part's name. This can - // be used to further distinguish or discriminate between the semantics of multiple parts of - // the same control with the same name and ns. - Class *string `json:"class,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined part elsewhere in this or other OSCAL instances. When referenced - // from another OSCAL instance, this identifier must be referenced in the context of the - // containing resource (e.g., import-profile). This id should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - ID *string `json:"id,omitempty"` - Links []Link `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type. - Name string `json:"name"` - // A namespace qualifying the part's name. This allows different organizations to associate - // distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // A name given to the part, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` -} - -// A type of user that interacts with the system based on an associated role. -type SystemUser struct { - AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` - // A summary of the user's purpose within the system. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RoleIDS []string `json:"role-ids,omitempty"` - // A short common name, abbreviation, or acronym for the user. - ShortName *string `json:"short-name,omitempty"` - // A name given to the user, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this user class elsewhere in this or other OSCAL instances. The locally - // defined UUID of the system user can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies a specific system privilege held by the user, along with an associated -// description and/or rationale for the privilege. -type Privilege struct { - // A summary of the privilege's purpose within the system. - Description *string `json:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed"` - // A human readable name for the privilege. - Title string `json:"title"` -} - -// Provides information about the publication and availability of the containing document. -type PublicationMetadata struct { - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified"` - Links []Link `json:"links,omitempty"` - Locations []Location `json:"locations,omitempty"` - OscalVersion string `json:"oscal-version"` - Parties []PartyOrganizationOrPerson `json:"parties,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` - Roles []Role `json:"roles,omitempty"` - // A name given to the document, which may be used by a tool for display and navigation. - Title string `json:"title"` - Version string `json:"version"` -} - -// A location, with associated metadata that can be referenced. -type Location struct { - Address Address `json:"address"` - EmailAddresses []string `json:"email-addresses,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A name given to the location, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - Urls []string `json:"urls,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined location elsewhere in this or other OSCAL instances. The - // locally defined UUID of the location can be used to reference the data item locally or - // globally (e.g., from an importing OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A postal address for the location. -type Address struct { - AddrLines []string `json:"addr-lines,omitempty"` - // City, town or geographical region for the mailing address. - City *string `json:"city,omitempty"` - // The ISO 3166-1 alpha-2 country code for the mailing address. - Country *string `json:"country,omitempty"` - // Postal or ZIP code for mailing address - PostalCode *string `json:"postal-code,omitempty"` - // State, province or analogous geographical region for mailing address - State *string `json:"state,omitempty"` - // Indicates the type of address. - Type *string `json:"type,omitempty"` -} - -// Contact number by telephone. -type TelephoneNumber struct { - Number string `json:"number"` - // Indicates the type of phone number. - Type *string `json:"type,omitempty"` -} - -// A responsible entity which is either a person or an organization. -type PartyOrganizationOrPerson struct { - Addresses []Address `json:"addresses,omitempty"` - EmailAddresses []string `json:"email-addresses,omitempty"` - ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` - Links []Link `json:"links,omitempty"` - LocationUuids []string `json:"location-uuids,omitempty"` - MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` - // The full name of the party. This is typically the legal name associated with the party. - Name *string `json:"name,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the party. - ShortName *string `json:"short-name,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A category describing the kind of party the object describes. - Type PartyType `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this defined party elsewhere in this or other OSCAL instances. The locally - // defined UUID of the party can be used to reference the data item locally or globally - // (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// An identifier for a person or organization using a designated scheme. e.g. an Open -// Researcher and Contributor ID (ORCID) -type PartyExternalIdentifier struct { - ID string `json:"id"` - // Indicates the type of external identifier. - Scheme string `json:"scheme"` -} - -// An entry in a sequential list of revisions to the containing document in reverse -// chronological order (i.e., most recent previous revision first). -type RevisionHistoryEntry struct { - LastModified *time.Time `json:"last-modified,omitempty"` - Links []Link `json:"links,omitempty"` - OscalVersion *string `json:"oscal-version,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A name given to the document revision, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` - Version string `json:"version"` -} - -// Defines a function assumed or expected to be assumed by a party in a specific situation. -type Role struct { - // A summary of the role's purpose and associated responsibilities. - Description *string `json:"description,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined role elsewhere in this or other OSCAL instances. When referenced - // from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL - // instance must be referenced in the context of the containing resource (e.g., import, - // import-component-definition, import-profile, import-ssp or import-ap). This ID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - ID string `json:"id"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the role. - ShortName *string `json:"short-name,omitempty"` - // A name given to the role, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Represents a scheduled event or milestone, which may be associated with a series of -// assessment actions. -type Task struct { - AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` - Dependencies []TaskDependency `json:"dependencies,omitempty"` - // A human-readable description of this task. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The timing under which the task is intended to occur. - Timing *EventTiming `json:"timing,omitempty"` - // The title for this task. - Title string `json:"title"` - // The type of task. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this task elsewhere in this or other OSCAL instances. The locally defined - // UUID of the task can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual activity to be performed as part of a task. -type AssociatedActivity struct { - // A machine-oriented identifier reference to an activity defined in the list of activities. - ActivityUUID string `json:"activity-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// Used to indicate that a task is dependent on another task. -type TaskDependency struct { - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// The timing under which the task is intended to occur. -type EventTiming struct { - // The task is intended to occur at the specified frequency. - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` - // The task is intended to occur on the specified date. - OnDate *OnDateCondition `json:"on-date,omitempty"` - // The task is intended to occur within the specified date range. - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` -} - -// The task is intended to occur at the specified frequency. -type FrequencyCondition struct { - // The task must occur after the specified period has elapsed. - Period int64 `json:"period"` - // The unit of time for the period. - Unit TimeUnit `json:"unit"` -} - -// The task is intended to occur on the specified date. -type OnDateCondition struct { - // The task must occur on the specified date. - Date time.Time `json:"date"` -} - -// The task is intended to occur within the specified date range. -type OnDateRangeCondition struct { - // The task must occur on or before the specified date. - End time.Time `json:"end"` - // The task must occur on or after the specified date. - Start time.Time `json:"start"` -} - -// Used to define various terms and conditions under which an assessment, described by the -// plan, can be performed. Each child part defines a different type of term or condition. -type AssessmentPlanTermsAndConditions struct { - Parts []AssessmentPart `json:"parts,omitempty"` -} - -// A partition of an assessment plan or results or a child of another part. -type AssessmentPart struct { - // A textual label that provides a sub-type or characterization of the part's name. This can - // be used to further distinguish or discriminate between the semantics of multiple parts of - // the same control with the same name and ns. - Class *string `json:"class,omitempty"` - Links []Link `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type. - Name string `json:"name"` - // A namespace qualifying the part's name. This allows different organizations to associate - // distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []AssessmentPart `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // A name given to the part, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this part elsewhere in this or other OSCAL instances. The locally defined - // UUID of the part can be used to reference the data item locally or globally (e.g., in an - // ported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP -// Security Assessment Report. -type SecurityAssessmentResultsSAR struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportAp ImportAssessmentPlan `json:"import-ap"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Results []AssessmentResult `json:"results"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment results instance in this or other OSCAL instances. The - // locally defined UUID of the assessment result can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Used by assessment-results to import information about the original plan for assessing -// the system. -type ImportAssessmentPlan struct { - // A resolvable URL reference to the assessment plan governing the assessment activities. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentResultsLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used by the assessment results and POA&M. In the assessment results, this identifies all -// of the assessment observations and findings, initial and residual risks, deviations, and -// disposition. In the POA&M, this identifies initial and residual risks, deviations, and -// disposition. -type AssessmentResult struct { - // A log of all assessment-related actions taken. - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` - Attestations []AttestationStatements `json:"attestations,omitempty"` - // A human-readable description of this set of test results. - Description string `json:"description"` - // Date/time stamp identifying the end of the evidence collection reflected in these - // results. In a continuous motoring scenario, this may contain the same value as start if - // appropriate. - End *time.Time `json:"end,omitempty"` - Findings []Finding `json:"findings,omitempty"` - Links []Link `json:"links,omitempty"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` - Observations []Observation `json:"observations,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - // Date/time stamp identifying the start of the evidence collection reflected in these - // results. - Start time.Time `json:"start"` - // The title for this set of results. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this set of results in this or other OSCAL instances. The locally defined - // UUID of the assessment result can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all assessment-related actions taken. -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries"` -} - -// Identifies the result of an action and/or task that occurred as part of executing an -// assessment plan or an assessment event that occurred in producing the assessment results. -type AssessmentLogEntry struct { - // A human-readable description of this event. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of an event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []Link `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of an event. - Start time.Time `json:"start"` - // The title for this event. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference an assessment event in this or other OSCAL instances. The locally defined - // UUID of the assessment log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Used to indicate who created a log entry in what role. -type LoggedBy struct { - // A machine-oriented identifier reference to the party who is making the log entry. - PartyUUID string `json:"party-uuid"` - // A point to the role-id of the role in which the party is making the log entry. - RoleID *string `json:"role-id,omitempty"` -} - -// Identifies an individual task for which the containing object is a consequence of. -type TaskReference struct { - // Used to detail assessment subjects that were identfied by this task. - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// Used to detail assessment subjects that were identfied by this task. -type IdentifiedSubject struct { - // A machine-oriented identifier reference to a unique assessment subject placeholder - // defined by this task. - SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// A set of textual statements, typically written by the assessor. -type AttestationStatements struct { - Parts []AssessmentPart `json:"parts"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// Describes an individual finding. -type Finding struct { - // A human-readable description of this finding. - Description string `json:"description"` - // A machine-oriented identifier reference to the implementation statement in the SSP to - // which this finding is related. - ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` - Links []Link `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Target TargetClass `json:"target"` - // The title for this finding. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this finding in this or other OSCAL instances. The locally defined UUID of - // the finding can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies the source of the finding, such as a tool, interviewed person, or activity. -type FindingOrigin struct { - Actors []OriginatingActor `json:"actors"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` -} - -// The actor that produces an observation, a finding, or a risk. One or more actor type can -// be used to specify a person that is using a tool. -type OriginatingActor struct { - // A machine-oriented identifier reference to the tool or person based on the associated - // type. - ActorUUID string `json:"actor-uuid"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // For a party, this can optionally be used to specify the role the actor was performing. - RoleID *string `json:"role-id,omitempty"` - // The kind of actor. - Type ActorType `json:"type"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type FindingRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type FindingRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// Captures an assessor's conclusions regarding the degree to which an objective is -// satisfied. -type TargetClass struct { - // A human-readable description of the assessor's conclusions regarding the degree to which - // an objective is satisfied. - Description *string `json:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A determination of if the objective is satisfied or not within a given system. - Status StatusClass `json:"status"` - // A machine-oriented identifier reference for a specific target qualified by the type. - TargetID string `json:"target-id"` - // The title for this objective status. - Title *string `json:"title,omitempty"` - // Identifies the type of the target. - Type FindingTargetType `json:"type"` -} - -// Indicates the degree to which the a given control is implemented. -type ImplementationStatus struct { - Remarks *string `json:"remarks,omitempty"` - // Identifies the implementation status of the control or control objective. - State string `json:"state"` -} - -// A determination of if the objective is satisfied or not within a given system. -type StatusClass struct { - // The reason the objective was given it's status. - Reason *string `json:"reason,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // An indication as to whether the objective is satisfied or not. - State ObjectiveStatusState `json:"state"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type ResultLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Describes an individual observation. -type Observation struct { - // Date/time stamp identifying when the finding information was collected. - Collected time.Time `json:"collected"` - // A human-readable description of this assessment observation. - Description string `json:"description"` - // Date/time identifying when the finding information is out-of-date and no longer valid. - // Typically used with continuous assessment scenarios. - Expires *time.Time `json:"expires,omitempty"` - Links []Link `json:"links,omitempty"` - Methods []string `json:"methods"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this observation. - Title *string `json:"title,omitempty"` - Types []string `json:"types,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this observation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the observation can be used to reference the data item locally or - // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Links this observation to relevant evidence. -type RelevantEvidence struct { - // A human-readable description of this evidence. - Description string `json:"description"` - // A resolvable URL reference to relevant evidence. - Href *string `json:"href,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A human-oriented identifier reference to a resource. Use type to indicate whether the -// identified resource is a component, inventory item, location, user, or something else. -type IdentifiesTheSubject struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // The title or name for the referenced subject. - Title *string `json:"title,omitempty"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type string `json:"type"` -} - -// An identified risk. -type IdentifiedRisk struct { - Characterizations []Characterization `json:"characterizations,omitempty"` - // The date/time by which the risk must be resolved. - Deadline *time.Time `json:"deadline,omitempty"` - // A human-readable summary of the identified risk, to include a statement of how the risk - // impacts the system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` - Remediations []RiskResponse `json:"remediations,omitempty"` - // A log of all risk-related tasks taken. - RiskLog *RiskLog `json:"risk-log,omitempty"` - // An summary of impact for how the risk affects the system. - Statement string `json:"statement"` - Status string `json:"status"` - ThreatIDS []ThreatID `json:"threat-ids,omitempty"` - // The title for this risk. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk elsewhere in this or other OSCAL instances. The locally defined - // UUID of the risk can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A collection of descriptive data about the containing object from a specific origin. -type Characterization struct { - Facets []Facet `json:"facets"` - Links []Link `json:"links,omitempty"` - Origin FindingOrigin `json:"origin"` - Props []Property `json:"props,omitempty"` -} - -// An individual characteristic that is part of a larger set produced by the same actor. -type Facet struct { - Links []Link `json:"links,omitempty"` - // The name of the risk metric within the specified system. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Specifies the naming system under which this risk metric is organized, which allows for - // the same names to be used in different systems controlled by different parties. This - // avoids the potential of a name clash. - System string `json:"system"` - // Indicates the value of the facet. - Value string `json:"value"` -} - -// Describes an existing mitigating factor that may affect the overall determination of the -// risk, with an optional link to an implementation statement in the SSP. -type MitigatingFactor struct { - // A human-readable description of this mitigating factor. - Description string `json:"description"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this implementation statement elsewhere in this or other OSCAL instancess. - // The locally defined UUID of the implementation statement can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - ImplementationUUID *string `json:"implementation-uuid,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this mitigating factor elsewhere in this or other OSCAL instances. The - // locally defined UUID of the mitigating factor can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type RiskRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Describes either recommended or an actual plan for addressing the risk. -type RiskResponse struct { - // A human-readable description of this response plan. - Description string `json:"description"` - // Identifies whether this is a recommendation, such as from an assessor or tool, or an - // actual plan accepted by the system owner. - Lifecycle string `json:"lifecycle"` - Links []Link `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The title for this response activity. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this remediation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk response can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an asset required to achieve remediation. -type RequiredAsset struct { - // A human-readable description of this required asset. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this required asset. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this required asset elsewhere in this or other OSCAL instances. The locally - // defined UUID of the asset can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all risk-related tasks taken. -type RiskLog struct { - Entries []RiskLogEntry `json:"entries"` -} - -// Identifies an individual risk response that occurred as part of managing an identified -// risk. -type RiskLogEntry struct { - // A human-readable description of what was done regarding the risk. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of the event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []Link `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of the event. - Start time.Time `json:"start"` - StatusChange *string `json:"status-change,omitempty"` - // The title for this risk log entry. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual risk response that this log entry is for. -type RiskResponseReference struct { - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique risk response. - ResponseUUID string `json:"response-uuid"` -} - -// A pointer, by ID, to an externally-defined threat. -type ThreatID struct { - // An optional location for the threat data, from which this ID originates. - Href *string `json:"href,omitempty"` - ID string `json:"id"` - // Specifies the source of the threat information. - System string `json:"system"` -} - -// A collection of controls. -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []ControlGroup `json:"groups,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Params []Parameter `json:"params,omitempty"` - // A globally unique identifier with cross-instance scope for this catalog instance. This - // UUID should be changed when this document is revised. - UUID string `json:"uuid"` -} - -// A structured information object representing a security or privacy control. Each security -// or privacy control within the Catalog is defined by a distinct control instance. -type Control struct { - // A textual label that provides a sub-type or characterization of the control. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - // A human-oriented, locally unique identifier with instance scope that can be used to - // reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This - // id should be assigned per-subject, which means it should be consistently used to identify - // the same control across revisions of the document. - ID string `json:"id"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. -type Parameter struct { - // A textual label that provides a characterization of the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // **(deprecated)** Another parameter invoking this one. This construct has been deprecated - // and should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined parameter elsewhere in this or other OSCAL instances. When - // referenced from another OSCAL instance, this identifier must be referenced in the context - // of the containing resource (e.g., import-profile). This id should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - ID string `json:"id"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A formal or informal expression of a constraint or test -type Constraint struct { - // A textual summary of the constraint to be applied. - Description *string `json:"description,omitempty"` - Tests []ConstraintTest `json:"tests,omitempty"` -} - -// A test expression which is expected to be evaluated by a tool. -type ConstraintTest struct { - // A formal (executable) expression of a constraint - Expression string `json:"expression"` - Remarks *string `json:"remarks,omitempty"` -} - -// A prose statement that provides a recommendation for the use of a parameter. -type Guideline struct { - // Prose permits multiple paragraphs, lists, tables etc. - Prose string `json:"prose"` -} - -// Presenting a choice among alternatives -type Selection struct { - Choice []string `json:"choice,omitempty"` - // Describes the number of selections that must occur. Without this setting, only one value - // should be assumed to be permitted. - HowMany *ParameterCardinality `json:"how-many,omitempty"` -} - -// A group of controls, or of groups of controls. -type ControlGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []ControlGroup `json:"groups,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined group elsewhere in in this and other OSCAL instances (e.g., - // profiles). This id should be assigned per-subject, which means it should be consistently - // used to identify the same group across revisions of the document. - ID *string `json:"id,omitempty"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the group, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// A collection of component descriptions, which may optionally be grouped by capability. -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Capabilities []Capability `json:"capabilities,omitempty"` - Components []ComponentDefinitionComponent `json:"components,omitempty"` - ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component definition elsewhere in this or other OSCAL instances. The - // locally defined UUID of the component definition can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A grouping of other components and/or capabilities. -type Capability struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A summary of the capability. - Description string `json:"description"` - IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` - Links []Link `json:"links,omitempty"` - // The capability's human-readable name. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this capability elsewhere in this or other OSCAL instances. The locally - // defined UUID of the capability can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Defines how the component or capability supports a set of controls. -type ControlImplementationSet struct { - // A description of how the specified set of controls are implemented for the containing - // component or capability. - Description string `json:"description"` - ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol - // definition. - Source string `json:"source"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference a set of implemented controls elsewhere in this or other OSCAL instances. - // The locally defined UUID of the control implementation set can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Describes how the containing component or capability implements an individual control. -type ImplementedRequirementElement struct { - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A suggestion for how the specified control may be implemented if the containing component - // or capability is instantiated in a system security plan. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []ControlStatementImplementation `json:"statements,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference a specific control implementation elsewhere in this or other OSCAL - // instances. The locally defined UUID of the control implementation can be used to - // reference the data item locally or globally (e.g., in an imported OSCAL instance).This - // UUID should be assigned per-subject, which means it should be consistently used to - // identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies the parameter that will be set by the enclosed value. -type SetParameterValue struct { - // A human-oriented reference to a parameter within a control, who's catalog has been - // imported into the current implementation context. - ParamID string `json:"param-id"` - Remarks *string `json:"remarks,omitempty"` - Values []string `json:"values"` -} - -// Identifies which statements within a control are addressed. -type ControlStatementImplementation struct { - // A summary of how the containing control statement is implemented by the component or - // capability. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// TBD -type IncorporatesComponent struct { - // A machine-oriented identifier reference to a component. - ComponentUUID string `json:"component-uuid"` - // A description of the component, including information about its function. - Description string `json:"description"` -} - -// A defined component that can be part of an implemented system. -type ComponentDefinitionComponent struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A description of the component, including information about its function. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human readable name for the component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component elsewhere in this or other OSCAL instances. The locally - // defined UUID of the component can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Loads a component definition from another resource. -type ImportComponentDefinition struct { - // A link to a resource that defines a set of components and/or capabilities to import into - // this collection. - Href string `json:"href"` -} - -// A plan of action and milestones which identifies initial and residual risks, deviations, -// and disposition, such as those required by FedRAMP. -type PlanOfActionAndMilestonesPOAM struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Observations []Observation `json:"observations,omitempty"` - PoamItems []POAMItem `json:"poam-items"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - SystemID *SystemIdentification `json:"system-id,omitempty"` - // A machine-oriented, globally unique identifier with instancescope that can be used to - // reference this POA&M instance in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Allows components, and inventory-items to be defined within the POA&M for circumstances -// where no OSCAL-based SSP exists, or is not delivered with the POA&M. -type PlanOfActionAndMilestonesLocalDefinitions struct { - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Describes an individual POA&M item. -type POAMItem struct { - // A human-readable description of POA&M item. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Origins []PoamItemOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for this POA&M item . - Title string `json:"title"` - // A machine-oriented, globally unique identifier with instance scope that can be used to - // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Identifies the source of the finding, such as a tool or person. -type PoamItemOrigin struct { - Actors []OriginatingActor `json:"actors"` -} - -// Relates the poam-item to a set of referenced observations that were used to determine the -// finding. -type PoamItemRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type PoamItemRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// A human-oriented, globally unique identifier with cross-instance scope that can be used -// to reference this system identification property elsewhere in this or other OSCAL -// instances. When referencing an externally defined system identification, the system -// identification must be used in the context of the external / imported OSCAL instance -// (e.g., uri-reference). This string should be assigned per-subject, which means it should -// be consistently used to identify the same system across revisions of the document. -type SystemIdentification struct { - ID string `json:"id"` - // Identifies the identification system from which the provided identifier was assigned. - IdentifierType *string `json:"identifier-type,omitempty"` -} - -// Each OSCAL profile is defined by a Profile element -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Imports []ImportResource `json:"imports"` - Merge *MergeControls `json:"merge,omitempty"` - Metadata PublicationMetadata `json:"metadata"` - Modify *ModifyControls `json:"modify,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this profile elsewhere in this or other OSCAL instances. The locally defined - // UUID of the profile can be used to reference the data item locally or globally (e.g., in - // an imported OSCAL instance).This identifier should be assigned per-subject, which means - // it should be consistently used to identify the same profile across revisions of the - // document. - UUID string `json:"uuid"` -} - -// The import designates a catalog or profile to be included (referenced and potentially -// modified) by this profile. The import also identifies which controls to select using the -// include-all, include-controls, and exclude-controls directives. -type ImportResource struct { - ExcludeControls []Call `json:"exclude-controls,omitempty"` - // A resolvable URL reference to the base catalog or profile that this profile is tailoring. - Href string `json:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []Call `json:"include-controls,omitempty"` -} - -// Call a control by its ID -type Call struct { - Matching []MatchControlsByPattern `json:"matching,omitempty"` - // When a control is included, whether its child (dependent) controls are also included. - WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` - WithIDS []string `json:"with-ids,omitempty"` -} - -// Select controls by (regular expression) match on ID -type MatchControlsByPattern struct { - // A glob expression matching the IDs of one or more controls to be selected. - Pattern *string `json:"pattern,omitempty"` -} - -// A Merge element provides structuring directives that drive how controls are organized -// after resolution. -type MergeControls struct { - // An As-is element indicates that the controls should be structured in resolution as they - // are structured in their source catalogs. It does not contain any elements or attributes. - AsIs *bool `json:"as-is,omitempty"` - // A Combine element defines how to combine multiple (competing) versions of the same - // control. - Combine *CombinationRule `json:"combine,omitempty"` - // A Custom element frames a structure for embedding represented controls in resolution. - Custom *CustomGrouping `json:"custom,omitempty"` - // Use the flat structuring method. - Flat *Flat `json:"flat,omitempty"` -} - -// A Combine element defines how to combine multiple (competing) versions of the same -// control. -type CombinationRule struct { - // How clashing controls should be handled - Method *CombinationMethod `json:"method,omitempty"` -} - -// A Custom element frames a structure for embedding represented controls in resolution. -type CustomGrouping struct { - Groups []CustomGroup `json:"groups,omitempty"` - InsertControls []SelectControls `json:"insert-controls,omitempty"` -} - -// A group of (selected) controls or of groups of controls -type CustomGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Groups []CustomGroup `json:"groups,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined group elsewhere in this or other OSCAL instances. When referenced - // from another OSCAL instance, this identifier must be referenced in the context of the - // containing resource (e.g., import-profile). This id should be assigned per-subject, which - // means it should be consistently used to identify the same group across revisions of the - // document. - ID *string `json:"id,omitempty"` - InsertControls []SelectControls `json:"insert-controls,omitempty"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the group, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Specifies which controls to use in the containing context. -type SelectControls struct { - ExcludeControls []Call `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []Call `json:"include-controls,omitempty"` - // A designation of how a selection of controls in a profile is to be ordered. - Order *Order `json:"order,omitempty"` -} - -// Use the flat structuring method. -type Flat struct { -} - -// Set parameters or amend controls in resolution -type ModifyControls struct { - Alters []Alteration `json:"alters,omitempty"` - SetParameters []ParameterSetting `json:"set-parameters,omitempty"` -} - -// An Alter element specifies changes to be made to an included control when a profile is -// resolved. -type Alteration struct { - Adds []Addition `json:"adds,omitempty"` - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Removes []Removal `json:"removes,omitempty"` -} - -// Specifies contents to be added into controls, in resolution -type Addition struct { - // Target location of the addition. - ByID *string `json:"by-id,omitempty"` - Links []Link `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []Part `json:"parts,omitempty"` - // Where to add the new content with respect to the targeted element (beside it or inside it) - Position *Position `json:"position,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` -} - -// Specifies objects to be removed from a control based on specific aspects of the object -// that must all match. -type Removal struct { - // Identify items to remove by matching their class. - ByClass *string `json:"by-class,omitempty"` - // Identify items to remove indicated by their id. - ByID *string `json:"by-id,omitempty"` - // Identify items to remove by the name of the item's information element name, e.g. title - // or prop - ByItemName *string `json:"by-item-name,omitempty"` - // Identify items to remove by matching their assigned name - ByName *string `json:"by-name,omitempty"` - // Identify items to remove by the item's ns, which is the namespace associated with a part, - // or prop. - ByNS *string `json:"by-ns,omitempty"` -} - -// A parameter setting, to be propagated to points of insertion -type ParameterSetting struct { - // A textual label that provides a characterization of the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // **(deprecated)** Another parameter invoking this one. This construct has been deprecated - // and should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []Link `json:"links,omitempty"` - // A human-oriented, locally unique identifier with cross-instance scope that can be used to - // reference this defined parameter elsewhere in this or other OSCAL instances. When - // referenced from another OSCAL instance, this identifier must be referenced in the context - // of the containing resource (e.g., import-profile). This id should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - ParamID string `json:"param-id"` - Props []Property `json:"props,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A system security plan, such as those described in NIST SP 800-18 -type SystemSecurityPlanSSP struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ControlImplementation ControlImplementationClass `json:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile"` - Metadata PublicationMetadata `json:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. - // The locally defined UUID of the SSP can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes how the system satisfies a set of controls. -type ControlImplementationClass struct { - // A statement describing important things to know about how this set of control - // satisfaction documentation is approached. - Description string `json:"description"` - ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` -} - -// Describes how the system satisfies the requirements of an individual control. -type ControlBasedRequirement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - // A human-oriented identifier reference to a control with a corresponding id value. When - // referencing an externally defined control, the Control Identifier Reference must be used - // in the context of the external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []SpecificControlStatement `json:"statements,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control requirement elsewhere in this or other OSCAL instances. The - // locally defined UUID of the control requirement can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Defines how the referenced component implements a set of controls. -type ComponentControlImplementation struct { - // A machine-oriented identifier reference to the component that is implemeting a given - // control. - ComponentUUID string `json:"component-uuid"` - // An implementation statement that describes how a control or a control statement is - // implemented within the referenced system component. - Description string `json:"description"` - // Identifies content intended for external consumption, such as with leveraged - // organizations. - Export *Export `json:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Inherited []InheritedControlImplementation `json:"inherited,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this by-component entry elsewhere in this or other OSCAL instances. The - // locally defined UUID of the by-component entry can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies content intended for external consumption, such as with leveraged -// organizations. -type Export struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be available to another system leveraging this system. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Provided []ProvidedControlImplementation `json:"provided,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` -} - -// Describes a capability which may be inherited by a leveraging system. -type ProvidedControlImplementation struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be provided to another system leveraging this system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this provided entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the provided entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation responsibility imposed on a leveraging system. -type ControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that a leveraging system must implement to satisfy the control - // provided by a leveraged system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this responsibility elsewhere in this or other OSCAL instances. The locally - // defined UUID of the responsibility can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation inherited by a leveraging system. -type InheritedControlImplementation struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is inheriting from a leveraged system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inherited control implementation can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Describes how this system satisfies a responsibility imposed by a leveraged system. -type SatisfiedControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is implementing based on a requirement from a - // leveraged system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a control implementation that satisfies a - // responsibility imposed by a leveraged system. - ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this satisfied control implementation entry elsewhere in this or other OSCAL - // instances. The locally defined UUID of the control implementation can be used to - // reference the data item locally or globally (e.g., in an imported OSCAL instance). This - // UUID should be assigned per-subject, which means it should be consistently used to - // identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies which statements within a control are addressed. -type SpecificControlStatement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// Used to import the OSCAL profile representing the system's control baseline. -type ImportProfile struct { - // A resolvable URL reference to the profile or catalog to use as the system's control - // baseline. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Contains the characteristics of the system, such as its name, purpose, and security -// impact level. -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty"` - DateAuthorized *string `json:"date-authorized,omitempty"` - // A summary of the system. - Description string `json:"description"` - Links []Link `json:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - SecurityImpactLevel SecurityImpactLevel `json:"security-impact-level"` - // The overall information system sensitivity categorization, such as defined by FIPS-199. - SecuritySensitivityLevel string `json:"security-sensitivity-level"` - Status SystemCharacteristicsStatus `json:"status"` - SystemIDS []SystemIdentification `json:"system-ids"` - SystemInformation SystemInformation `json:"system-information"` - // The full name of the system. - SystemName string `json:"system-name"` - // A short name for the system, such as an acronym, that is suitable for display in a data - // table or summary list. - SystemNameShort *string `json:"system-name-short,omitempty"` -} - -// A description of this system's authorization boundary, optionally supplemented by -// diagrams that illustrate the authorization boundary. -type AuthorizationBoundary struct { - // A summary of the system's authorization boundary. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A graphic that provides a visual representation the system, or some aspect of it. -type Diagram struct { - // A brief caption to annotate the diagram. - Caption *string `json:"caption,omitempty"` - // A summary of the diagram. - Description *string `json:"description,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined - // UUID of the diagram can be used to reference the data item locally or globally (e.g., in - // an imported OSCAL instance). This UUID should be assigned per-subject, which means it - // should be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A description of the logical flow of information within the system and across its -// boundaries, optionally supplemented by diagrams that illustrate these flows. -type DataFlow struct { - // A summary of the system's data flow. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A description of the system's network architecture, optionally supplemented by diagrams -// that illustrate the network architecture. -type NetworkArchitecture struct { - // A summary of the system's network architecture. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// The overall level of expected impact resulting from unauthorized disclosure, -// modification, or loss of access to information. -type SecurityImpactLevel struct { - // A target-level of availability for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveAvailability string `json:"security-objective-availability"` - // A target-level of confidentiality for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` - // A target-level of integrity for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveIntegrity string `json:"security-objective-integrity"` -} - -// Describes the operational status of the system. -type SystemCharacteristicsStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The current operating status. - State FluffyState `json:"state"` -} - -// Contains details about all information types that are stored, processed, or transmitted -// by the system, such as privacy information, and those defined in NIST SP 800-60. -type SystemInformation struct { - InformationTypes []InformationType `json:"information-types"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` -} - -// Contains details about one information type that is stored, processed, or transmitted by -// the system, such as privacy information, and those defined in NIST SP 800-60. -type InformationType struct { - // The expected level of impact resulting from the disruption of access to or use of the - // described information or the information system. - AvailabilityImpact AvailabilityImpactLevel `json:"availability-impact"` - Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` - // The expected level of impact resulting from the unauthorized disclosure of the described - // information. - ConfidentialityImpact ConfidentialityImpactLevel `json:"confidentiality-impact"` - // A summary of how this information type is used within the system. - Description string `json:"description"` - // The expected level of impact resulting from the unauthorized modification of the - // described information. - IntegrityImpact IntegrityImpactLevel `json:"integrity-impact"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A human readable name for the information type. This title should be meaningful within - // the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this information type elsewhere in this or other OSCAL instances. The - // locally defined UUID of the information type can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// The expected level of impact resulting from the disruption of access to or use of the -// described information or the information system. -type AvailabilityImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// A set of information type identifiers qualified by the given identification system used, -// such as NIST SP 800-60. -type InformationTypeCategorization struct { - InformationTypeIDS []string `json:"information-type-ids,omitempty"` - // Specifies the information type identification system used. - System string `json:"system"` -} - -// The expected level of impact resulting from the unauthorized disclosure of the described -// information. -type ConfidentialityImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// The expected level of impact resulting from the unauthorized modification of the -// described information. -type IntegrityImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// Provides information as to how the system is implemented. -type SystemImplementation struct { - Components []AssessmentAssetsComponent `json:"components"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` - Links []Link `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users"` -} - -// A description of another authorized system from which this system inherits capabilities -// that satisfy security requirements. Another term for this concept is a common control -// provider. -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized"` - Links []Link `json:"links,omitempty"` - // A machine-oriented identifier reference to the party that manages the leveraged system. - PartyUUID string `json:"party-uuid"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human readable name for the leveraged authorization in the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope and can be used - // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The - // locally defined UUID of the leveraged authorization can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Indicates the transport type. -// -// Describes the type of relationship provided by the link. This can be an indicator of the -// link's purpose. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// A textual label that uniquely identifies a specific attribute, characteristic, or quality -// of the property's containing object. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Transport string - -const ( - TCP Transport = "TCP" - UDP Transport = "UDP" -) - -// The operational status. -// -// Describes the type of relationship provided by the link. This can be an indicator of the -// link's purpose. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// A textual label that uniquely identifies a specific attribute, characteristic, or quality -// of the property's containing object. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type PurpleState string - -const ( - PurpleDisposition PurpleState = "disposition" - PurpleOperational PurpleState = "operational" - PurpleOther PurpleState = "other" - PurpleUnderDevelopment PurpleState = "under-development" -) - -// A category describing the kind of party the object describes. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// Method by which a hash is derived -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type PartyType string - -const ( - Organization PartyType = "organization" - Person PartyType = "person" -) - -// The unit of time for the period. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// Method by which a hash is derived -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type TimeUnit string - -const ( - Days TimeUnit = "days" - Hours TimeUnit = "hours" - Minutes TimeUnit = "minutes" - Months TimeUnit = "months" - Seconds TimeUnit = "seconds" - Years TimeUnit = "years" -) - -// The kind of actor. -// -// Describes the type of relationship provided by the link. This can be an indicator of the -// link's purpose. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// A textual label that uniquely identifies a specific attribute, characteristic, or quality -// of the property's containing object. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ActorType string - -const ( - AssessmentPlatform ActorType = "assessment-platform" - Party ActorType = "party" - Tool ActorType = "tool" -) - -// An indication as to whether the objective is satisfied or not. -// -// Describes the type of relationship provided by the link. This can be an indicator of the -// link's purpose. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// A textual label that uniquely identifies a specific attribute, characteristic, or quality -// of the property's containing object. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ObjectiveStatusState string - -const ( - NotSatisfied ObjectiveStatusState = "not-satisfied" - Satisfied ObjectiveStatusState = "satisfied" -) - -// Identifies the type of the target. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// Method by which a hash is derived -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type FindingTargetType string - -const ( - ObjectiveID FindingTargetType = "objective-id" - StatementID FindingTargetType = "statement-id" -) - -// Describes the number of selections that must occur. Without this setting, only one value -// should be assumed to be permitted. -// -// Describes the type of relationship provided by the link. This can be an indicator of the -// link's purpose. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// A textual label that uniquely identifies a specific attribute, characteristic, or quality -// of the property's containing object. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ParameterCardinality string - -const ( - One ParameterCardinality = "one" - OneOrMore ParameterCardinality = "one-or-more" -) - -// When a control is included, whether its child (dependent) controls are also included. -// -// Describes the type of relationship provided by the link. This can be an indicator of the -// link's purpose. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// A textual label that uniquely identifies a specific attribute, characteristic, or quality -// of the property's containing object. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type IncludeContainedControlsWithControl string - -const ( - No IncludeContainedControlsWithControl = "no" - Yes IncludeContainedControlsWithControl = "yes" -) - -// How clashing controls should be handled -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// Method by which a hash is derived -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type CombinationMethod string - -const ( - CombinationMethodKeep CombinationMethod = "keep" - Merge CombinationMethod = "merge" - UseFirst CombinationMethod = "use-first" -) - -// A designation of how a selection of controls in a profile is to be ordered. -// -// Describes the type of relationship provided by the link. This can be an indicator of the -// link's purpose. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// A textual label that uniquely identifies a specific attribute, characteristic, or quality -// of the property's containing object. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Order string - -const ( - Ascending Order = "ascending" - Descending Order = "descending" - OrderKeep Order = "keep" -) - -// Where to add the new content with respect to the targeted element (beside it or inside -// it) -// -// Describes the type of relationship provided by the link. This can be an indicator of the -// link's purpose. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. This -// can be used to further distinguish or discriminate between the semantics of multiple -// properties of the same object with the same name and ns. -// -// A textual label that provides a sub-type or characterization of the control. -// -// A human-oriented, locally unique identifier with instance scope that can be used to -// reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This -// id should be assigned per-subject, which means it should be consistently used to identify -// the same control across revisions of the document. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined parameter elsewhere in this or other OSCAL instances. When -// referenced from another OSCAL instance, this identifier must be referenced in the context -// of the containing resource (e.g., import-profile). This id should be assigned -// per-subject, which means it should be consistently used to identify the same subject -// across revisions of the document. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined part elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same subject across revisions of the -// document. -// -// A textual label that uniquely identifies the part's semantic type. -// -// A textual label that provides a sub-type or characterization of the group. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in in this and other OSCAL instances (e.g., -// profiles). This id should be assigned per-subject, which means it should be consistently -// used to identify the same group across revisions of the document. -// -// A human-oriented identifier reference to roles served by the user. -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined role elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL -// instance must be referenced in the context of the containing resource (e.g., import, -// import-component-definition, import-profile, import-ssp or import-ap). This ID should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// -// -// A human-oriented, locally unique identifier with cross-instance scope that can be used to -// reference this defined group elsewhere in this or other OSCAL instances. When referenced -// from another OSCAL instance, this identifier must be referenced in the context of the -// containing resource (e.g., import-profile). This id should be assigned per-subject, which -// means it should be consistently used to identify the same group across revisions of the -// document. -// -// Target location of the addition. -// -// A human-oriented identifier reference to a control with a corresponding id value. When -// referencing an externally defined control, the Control Identifier Reference must be used -// in the context of the external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items to remove by the name of the item's information element name, e.g. title -// or prop -// -// Identify items to remove by matching their assigned name -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A human-oriented identifier reference to roles responsible for the business function. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// A textual label that uniquely identifies a specific attribute, characteristic, or quality -// of the property's containing object. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Position string - -const ( - After Position = "after" - Before Position = "before" - Ending Position = "ending" - Starting Position = "starting" -) - -// The current operating status. -// -// Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media -// Types Registry. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address -// -// State, province or analogous geographical region for mailing address -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against. -// -// A string used to distinguish the current version of the document from other previous (and -// future) versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// Method by which a hash is derived -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type FluffyState string - -const ( - FluffyDisposition FluffyState = "disposition" - FluffyOperational FluffyState = "operational" - FluffyOther FluffyState = "other" - FluffyUnderDevelopment FluffyState = "under-development" - UnderMajorModification FluffyState = "under-major-modification" -) diff --git a/src/types/quicktype/oscal-1-1-0/types.go b/src/types/quicktype/oscal-1-1-0/types.go deleted file mode 100644 index 9b77faad..00000000 --- a/src/types/quicktype/oscal-1-1-0/types.go +++ /dev/null @@ -1,3754 +0,0 @@ -// This file was generated from JSON Schema using quicktype, do not modify it directly. -// To parse and unparse this JSON data, add this code to your project and do: -// -// oscalModels, err := UnmarshalOscalModels(bytes) -// bytes, err = oscalModels.Marshal() - -package oscalTypes_1_1_0 - -import "time" - -import "encoding/json" - -func UnmarshalOscalModels(data []byte) (OscalModels, error) { - var r OscalModels - err := json.Unmarshal(data, &r) - return r, err -} - -func (r *OscalModels) Marshal() ([]byte, error) { - return json.Marshal(r) -} - -type OscalModels struct { - Schema *string `json:"$schema,omitempty"` - Catalog *Catalog `json:"catalog,omitempty"` - Profile *Profile `json:"profile,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` - SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` - AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` - AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` -} - -// An assessment plan, such as those provided by a FedRAMP assessor. -type SecurityAssessmentPlanSAP struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Tasks []Task `json:"tasks,omitempty"` - // Used to define various terms and conditions under which an assessment, described by the - // plan, can be performed. Each child part defines a different type of term or condition. - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment plan in this or other OSCAL instances. The locally defined - // UUID of the assessment plan can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Identifies the assets used to perform this assessment, such as the assessment team, -// scanning tools, and assumptions. -type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` -} - -// Used to represent the toolset used to perform aspects of the assessment. -type AssessmentPlatformElement struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for the assessment platform. - Title *string `json:"title,omitempty"` - UsesComponents []UsesComponent `json:"uses-components,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment platform elsewhere in this or other OSCAL instances. The - // locally defined UUID of the assessment platform can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A reference to a local or remote resource, that has a specific relation to the containing -// object. -type LinkElement struct { - // A resolvable URL reference to a resource. - Href string `json:"href"` - // A label that indicates the nature of a resource, as a data serialization or format. - MediaType *string `json:"media-type,omitempty"` - // Describes the type of relationship provided by the link's hypertext reference. This can - // be an indicator of the link's purpose. - Rel *string `json:"rel,omitempty"` - // In case where the href points to a back-matter/resource, this value will indicate the URI - // fragment to append to any rlink associated with the resource. This value MUST be URI - // encoded. - ResourceFragment *string `json:"resource-fragment,omitempty"` - // A textual label to associate with the link, which may be used for presentation in a tool. - Text *string `json:"text,omitempty"` -} - -// An attribute, characteristic, or quality of the containing object expressed as a -// namespace qualified name/value pair. -type Property struct { - // A textual label that provides a sub-type or characterization of the property's name. - Class *string `json:"class,omitempty"` - // An identifier for relating distinct sets of properties. - Group *string `json:"group,omitempty"` - // A textual label, within a namespace, that uniquely identifies a specific attribute, - // characteristic, or quality of the property's containing object. - Name string `json:"name"` - // A namespace qualifying the property's name. This allows different organizations to - // associate distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A unique identifier for a property. - UUID *string `json:"uuid,omitempty"` - // Indicates the value of the attribute, characteristic, or quality. - Value string `json:"value"` -} - -// The set of components that are used by the assessment platform. -type UsesComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A reference to a set of persons and/or organizations that have responsibility for -// performing the referenced role in the context of the containing object. -type ResponsibleParty struct { - Links []LinkElement `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A reference to a role performed by a party. - RoleID string `json:"role-id"` -} - -// A defined component that can be part of an implemented system. -type AssessmentAssetsComponent struct { - // A description of the component, including information about its function. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // Describes the operational status of the system component. - Status ComponentStatus `json:"status"` - // A human readable name for the system component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component elsewhere in this or other OSCAL instances. The locally - // defined UUID of the component can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Information about the protocol used to provide a service. -type ServiceProtocolInformation struct { - // The common name of the protocol, which should be the appropriate "service name" from the - // IANA Service Name and Transport Protocol Port Number Registry. - Name string `json:"name"` - PortRanges []PortRange `json:"port-ranges,omitempty"` - // A human readable name for the protocol (e.g., Transport Layer Security). - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this service protocol information elsewhere in this or other OSCAL - // instances. The locally defined UUID of the service protocol can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Where applicable this is the IPv4 port range on which the service operates. -type PortRange struct { - // Indicates the ending port number in a port range - End *int64 `json:"end,omitempty"` - // Indicates the starting port number in a port range - Start *int64 `json:"start,omitempty"` - // Indicates the transport type. - Transport *Transport `json:"transport,omitempty"` -} - -// A reference to a role with responsibility for performing a function relative to the -// containing object, optionally associated with a set of persons and/or organizations that -// perform that role. -type ResponsibleRole struct { - Links []LinkElement `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human-oriented identifier reference to a role performed. - RoleID string `json:"role-id"` -} - -// Describes the operational status of the system component. -type ComponentStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The operational status. - State PurpleState `json:"state"` -} - -// Identifies system elements being assessed, such as components, inventory items, and -// locations. In the assessment plan, this identifies a planned assessment subject. In the -// assessment results this is an actual assessment subject, and reflects any changes from -// the plan. exactly what will be the focus of this assessment. Any subjects not identified -// in this way are out-of-scope. -type SubjectOfAssessment struct { - // A human-readable description of the collection of subjects being included in this - // assessment. - Description *string `json:"description,omitempty"` - ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Indicates the type of assessment subject, such as a component, inventory, item, location, - // or party represented by this selection statement. - Type string `json:"type"` -} - -// Identifies a set of assessment subjects to include/exclude by UUID. -type SelectAssessmentSubject struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type string `json:"type"` -} - -// Include all controls from the imported catalog or profile resources. -type IncludeAll struct { -} - -// A collection of resources that may be referenced from within the OSCAL document instance. -type BackMatter struct { - Resources []Resource `json:"resources,omitempty"` -} - -// A resource associated with content in the containing document instance. A resource may be -// directly included in the document using base64 encoding or may point to one or more -// equivalent internet resources. -type Resource struct { - // A resource encoded using the Base64 alphabet defined by RFC 2045. - Base64 *Base64 `json:"base64,omitempty"` - // An optional citation consisting of end note text using structured markup. - Citation *Citation `json:"citation,omitempty"` - // An optional short summary of the resource used to indicate the purpose of the resource. - Description *string `json:"description,omitempty"` - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Rlinks []ResourceLink `json:"rlinks,omitempty"` - // An optional name given to the resource, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` - // A unique identifier for a resource. - UUID string `json:"uuid"` -} - -// A resource encoded using the Base64 alphabet defined by RFC 2045. -type Base64 struct { - // Name of the file before it was encoded as Base64 to be embedded in a resource. This is - // the name that will be assigned to the file when the file is decoded. - Filename *string `json:"filename,omitempty"` - // A label that indicates the nature of a resource, as a data serialization or format. - MediaType *string `json:"media-type,omitempty"` - Value string `json:"value"` -} - -// An optional citation consisting of end note text using structured markup. -type Citation struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A line of citation text. - Text string `json:"text"` -} - -// A document identifier qualified by an identifier scheme. -type DocumentIdentifier struct { - Identifier string `json:"identifier"` - // Qualifies the kind of document identifier using a URI. If the scheme is not provided the - // value of the element will be interpreted as a string of characters. - Scheme *string `json:"scheme,omitempty"` -} - -// A URL-based pointer to an external resource with an optional hash for verification and -// change detection. -type ResourceLink struct { - Hashes []Hash `json:"hashes,omitempty"` - // A resolvable URL pointing to the referenced resource. - Href string `json:"href"` - // A label that indicates the nature of a resource, as a data serialization or format. - MediaType *string `json:"media-type,omitempty"` -} - -// A representation of a cryptographic digest generated over a resource using a specified -// hash algorithm. -type Hash struct { - // The digest method by which a hash is derived. - Algorithm string `json:"algorithm"` - Value string `json:"value"` -} - -// Used by the assessment plan and POA&M to import information about the system. -type ImportSystemSecurityPlan struct { - // A resolvable URL reference to the system security plan for the system being assessed. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentPlanLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Identifies an assessment or related process that can be performed. In the assessment -// plan, this is an intended activity which may be associated with an assessment task. In -// the assessment results, this an activity that was actually performed as part of an -// assessment. -type Activity struct { - // A human-readable description of this included activity. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Steps []Step `json:"steps,omitempty"` - // The title for this included activity. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment activity elsewhere in this or other OSCAL instances. The - // locally defined UUID of the activity can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies the controls being assessed and their control objectives. -type ReviewedControlsAndControlObjectives struct { - ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections"` - // A human-readable description of control objectives. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Identifies the control objectives of the assessment. In the assessment plan, these are -// the planned objectives. In the assessment results, these are the assessed objectives, and -// reflects any changes from the plan. -type ReferencedControlObjectives struct { - // A human-readable description of this collection of control objectives. - Description *string `json:"description,omitempty"` - ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control objective for inclusion/exclusion based on the control -// objective's identifier. -type SelectObjective struct { - // Points to an assessment objective. - ObjectiveID string `json:"objective-id"` -} - -// Identifies the controls being assessed. In the assessment plan, these are the planned -// controls. In the assessment results, these are the actual controls, and reflects any -// changes from the plan. -type AssessedControls struct { - // A human-readable description of in-scope controls specified for assessment. - Description *string `json:"description,omitempty"` - ExcludeControls []ControlSelectionExcludeControl `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []ControlSelectionExcludeControl `json:"include-controls,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control for inclusion/exclusion based on one or more control -// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion -// to only specific control statements providing more granularity over the specific -// statements that are within the asessment scope. -type ControlSelectionExcludeControl struct { - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - StatementIDS []string `json:"statement-ids,omitempty"` -} - -// Identifies an individual step in a series of steps related to an activity, such as an -// assessment test or examination procedure. -type Step struct { - // A human-readable description of this step. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` - // The title for this step. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this step elsewhere in this or other OSCAL instances. The locally defined - // UUID of the step (in a series of steps) can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// A single managed inventory item within the system. -type InventoryItem struct { - // A summary of the inventory item stating its purpose within the system. - Description string `json:"description"` - ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inventory item elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inventory item can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// The set of components that are implemented in a given system inventory item. -type ImplementedComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A local definition of a control objective for this assessment. Uses catalog syntax for -// control objective and assessment actions. -type AssessmentSpecificControlObjective struct { - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A human-readable description of this control objective. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Parts []PartElement `json:"parts"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// An annotated, markup-based textual element of a control's or catalog group's definition, -// or a child of another part. -type PartElement struct { - // An optional textual providing a sub-type or characterization of the part's name, or a - // category to which the part belongs. - Class *string `json:"class,omitempty"` - // A unique identifier for the part. - ID *string `json:"id,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type, which exists in a - // value space qualified by the ns. - Name string `json:"name"` - // An optional namespace qualifying the part's name. This allows different organizations to - // associate distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // An optional name given to the part, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` -} - -// A type of user that interacts with the system based on an associated role. -type SystemUser struct { - AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` - // A summary of the user's purpose within the system. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RoleIDS []string `json:"role-ids,omitempty"` - // A short common name, abbreviation, or acronym for the user. - ShortName *string `json:"short-name,omitempty"` - // A name given to the user, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this user class elsewhere in this or other OSCAL instances. The locally - // defined UUID of the system user can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies a specific system privilege held by the user, along with an associated -// description and/or rationale for the privilege. -type Privilege struct { - // A summary of the privilege's purpose within the system. - Description *string `json:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed"` - // A human readable name for the privilege. - Title string `json:"title"` -} - -// Provides information about the containing document, and defines concepts that are shared -// across the document. -type DocumentMetadata struct { - Actions []Action `json:"actions,omitempty"` - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified"` - Links []LinkElement `json:"links,omitempty"` - Locations []Location `json:"locations,omitempty"` - OscalVersion string `json:"oscal-version"` - Parties []PartyElement `json:"parties,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` - Roles []Role `json:"roles,omitempty"` - // A name given to the document, which may be used by a tool for display and navigation. - Title string `json:"title"` - Version string `json:"version"` -} - -// An action applied by a role within a given party to the content. -type Action struct { - // The date and time when the action occurred. - Date *time.Time `json:"date,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - // Specifies the action type system used. - System string `json:"system"` - // The type of action documented by the assembly, such as an approval. - Type string `json:"type"` - // A unique identifier that can be used to reference this defined action elsewhere in an - // OSCAL document. A UUID should be consistently used for a given location across revisions - // of the document. - UUID string `json:"uuid"` -} - -// A physical point of presence, which may be associated with people, organizations, or -// other concepts within the current or linked OSCAL document. -type Location struct { - Address *Address `json:"address,omitempty"` - EmailAddresses []string `json:"email-addresses,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A name given to the location, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - Urls []string `json:"urls,omitempty"` - // A unique ID for the location, for reference. - UUID string `json:"uuid"` -} - -// A postal address for the location. -type Address struct { - AddrLines []string `json:"addr-lines,omitempty"` - // City, town or geographical region for the mailing address. - City *string `json:"city,omitempty"` - // The ISO 3166-1 alpha-2 country code for the mailing address. - Country *string `json:"country,omitempty"` - // Postal or ZIP code for mailing address. - PostalCode *string `json:"postal-code,omitempty"` - // State, province or analogous geographical region for a mailing address. - State *string `json:"state,omitempty"` - // Indicates the type of address. - Type *string `json:"type,omitempty"` -} - -// A telephone service number as defined by ITU-T E.164. -type TelephoneNumber struct { - Number string `json:"number"` - // Indicates the type of phone number. - Type *string `json:"type,omitempty"` -} - -// An organization or person, which may be associated with roles or other concepts within -// the current or linked OSCAL document. -type PartyElement struct { - Addresses []Address `json:"addresses,omitempty"` - EmailAddresses []string `json:"email-addresses,omitempty"` - ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` - Links []LinkElement `json:"links,omitempty"` - LocationUuids []string `json:"location-uuids,omitempty"` - MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` - // The full name of the party. This is typically the legal name associated with the party. - Name *string `json:"name,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the party. - ShortName *string `json:"short-name,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A category describing the kind of party the object describes. - Type PartyType `json:"type"` - // A unique identifier for the party. - UUID string `json:"uuid"` -} - -// An identifier for a person or organization using a designated scheme. e.g. an Open -// Researcher and Contributor ID (ORCID). -type PartyExternalIdentifier struct { - ID string `json:"id"` - // Indicates the type of external identifier. - Scheme string `json:"scheme"` -} - -// An entry in a sequential list of revisions to the containing document, expected to be in -// reverse chronological order (i.e. latest first). -type RevisionHistoryEntry struct { - LastModified *time.Time `json:"last-modified,omitempty"` - Links []LinkElement `json:"links,omitempty"` - OscalVersion *string `json:"oscal-version,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A name given to the document revision, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` - Version string `json:"version"` -} - -// Defines a function, which might be assigned to a party in a specific situation. -type Role struct { - // A summary of the role's purpose and associated responsibilities. - Description *string `json:"description,omitempty"` - // A unique identifier for the role. - ID string `json:"id"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the role. - ShortName *string `json:"short-name,omitempty"` - // A name given to the role, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Represents a scheduled event or milestone, which may be associated with a series of -// assessment actions. -type Task struct { - AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` - Dependencies []TaskDependency `json:"dependencies,omitempty"` - // A human-readable description of this task. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The timing under which the task is intended to occur. - Timing *EventTiming `json:"timing,omitempty"` - // The title for this task. - Title string `json:"title"` - // The type of task. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this task elsewhere in this or other OSCAL instances. The locally defined - // UUID of the task can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual activity to be performed as part of a task. -type AssociatedActivity struct { - // A machine-oriented identifier reference to an activity defined in the list of activities. - ActivityUUID string `json:"activity-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// Used to indicate that a task is dependent on another task. -type TaskDependency struct { - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// The timing under which the task is intended to occur. -type EventTiming struct { - // The task is intended to occur at the specified frequency. - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` - // The task is intended to occur on the specified date. - OnDate *OnDateCondition `json:"on-date,omitempty"` - // The task is intended to occur within the specified date range. - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` -} - -// The task is intended to occur at the specified frequency. -type FrequencyCondition struct { - // The task must occur after the specified period has elapsed. - Period int64 `json:"period"` - // The unit of time for the period. - Unit TimeUnit `json:"unit"` -} - -// The task is intended to occur on the specified date. -type OnDateCondition struct { - // The task must occur on the specified date. - Date time.Time `json:"date"` -} - -// The task is intended to occur within the specified date range. -type OnDateRangeCondition struct { - // The task must occur on or before the specified date. - End time.Time `json:"end"` - // The task must occur on or after the specified date. - Start time.Time `json:"start"` -} - -// Used to define various terms and conditions under which an assessment, described by the -// plan, can be performed. Each child part defines a different type of term or condition. -type AssessmentPlanTermsAndConditions struct { - Parts []AssessmentPart `json:"parts,omitempty"` -} - -// A partition of an assessment plan or results or a child of another part. -type AssessmentPart struct { - // A textual label that provides a sub-type or characterization of the part's name. This can - // be used to further distinguish or discriminate between the semantics of multiple parts of - // the same control with the same name and ns. - Class *string `json:"class,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type. - Name string `json:"name"` - // A namespace qualifying the part's name. This allows different organizations to associate - // distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []AssessmentPart `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // A name given to the part, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this part elsewhere in this or other OSCAL instances. The locally defined - // UUID of the part can be used to reference the data item locally or globally (e.g., in an - // ported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP -// Security Assessment Report. -type SecurityAssessmentResultsSAR struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportAp ImportAssessmentPlan `json:"import-ap"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Results []AssessmentResult `json:"results"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment results instance in this or other OSCAL instances. The - // locally defined UUID of the assessment result can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Used by assessment-results to import information about the original plan for assessing -// the system. -type ImportAssessmentPlan struct { - // A resolvable URL reference to the assessment plan governing the assessment activities. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentResultsLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used by the assessment results and POA&M. In the assessment results, this identifies all -// of the assessment observations and findings, initial and residual risks, deviations, and -// disposition. In the POA&M, this identifies initial and residual risks, deviations, and -// disposition. -type AssessmentResult struct { - // A log of all assessment-related actions taken. - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` - Attestations []AttestationStatements `json:"attestations,omitempty"` - // A human-readable description of this set of test results. - Description string `json:"description"` - // Date/time stamp identifying the end of the evidence collection reflected in these - // results. In a continuous motoring scenario, this may contain the same value as start if - // appropriate. - End *time.Time `json:"end,omitempty"` - Findings []Finding `json:"findings,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` - Observations []Observation `json:"observations,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - // Date/time stamp identifying the start of the evidence collection reflected in these - // results. - Start time.Time `json:"start"` - // The title for this set of results. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this set of results in this or other OSCAL instances. The locally defined - // UUID of the assessment result can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all assessment-related actions taken. -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries"` -} - -// Identifies the result of an action and/or task that occurred as part of executing an -// assessment plan or an assessment event that occurred in producing the assessment results. -type AssessmentLogEntry struct { - // A human-readable description of this event. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of an event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []LinkElement `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of an event. - Start time.Time `json:"start"` - // The title for this event. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference an assessment event in this or other OSCAL instances. The locally defined - // UUID of the assessment log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Used to indicate who created a log entry in what role. -type LoggedBy struct { - // A machine-oriented identifier reference to the party who is making the log entry. - PartyUUID string `json:"party-uuid"` - // A point to the role-id of the role in which the party is making the log entry. - RoleID *string `json:"role-id,omitempty"` -} - -// Identifies an individual task for which the containing object is a consequence of. -type TaskReference struct { - // Used to detail assessment subjects that were identfied by this task. - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// Used to detail assessment subjects that were identfied by this task. -type IdentifiedSubject struct { - // A machine-oriented identifier reference to a unique assessment subject placeholder - // defined by this task. - SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// A set of textual statements, typically written by the assessor. -type AttestationStatements struct { - Parts []AssessmentPart `json:"parts"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// Describes an individual finding. -type Finding struct { - // A human-readable description of this finding. - Description string `json:"description"` - // A machine-oriented identifier reference to the implementation statement in the SSP to - // which this finding is related. - ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Target TargetClass `json:"target"` - // The title for this finding. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this finding in this or other OSCAL instances. The locally defined UUID of - // the finding can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies the source of the finding, such as a tool, interviewed person, or activity. -type FindingOrigin struct { - Actors []OriginatingActor `json:"actors"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` -} - -// The actor that produces an observation, a finding, or a risk. One or more actor type can -// be used to specify a person that is using a tool. -type OriginatingActor struct { - // A machine-oriented identifier reference to the tool or person based on the associated - // type. - ActorUUID string `json:"actor-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // For a party, this can optionally be used to specify the role the actor was performing. - RoleID *string `json:"role-id,omitempty"` - // The kind of actor. - Type ActorType `json:"type"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type FindingRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type FindingRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// Captures an assessor's conclusions regarding the degree to which an objective is -// satisfied. -type TargetClass struct { - // A human-readable description of the assessor's conclusions regarding the degree to which - // an objective is satisfied. - Description *string `json:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A determination of if the objective is satisfied or not within a given system. - Status StatusClass `json:"status"` - // A machine-oriented identifier reference for a specific target qualified by the type. - TargetID string `json:"target-id"` - // The title for this objective status. - Title *string `json:"title,omitempty"` - // Identifies the type of the target. - Type FindingTargetType `json:"type"` -} - -// Indicates the degree to which the a given control is implemented. -type ImplementationStatus struct { - Remarks *string `json:"remarks,omitempty"` - // Identifies the implementation status of the control or control objective. - State string `json:"state"` -} - -// A determination of if the objective is satisfied or not within a given system. -type StatusClass struct { - // The reason the objective was given it's status. - Reason *string `json:"reason,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // An indication as to whether the objective is satisfied or not. - State ObjectiveStatusState `json:"state"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type ResultLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Describes an individual observation. -type Observation struct { - // Date/time stamp identifying when the finding information was collected. - Collected time.Time `json:"collected"` - // A human-readable description of this assessment observation. - Description string `json:"description"` - // Date/time identifying when the finding information is out-of-date and no longer valid. - // Typically used with continuous assessment scenarios. - Expires *time.Time `json:"expires,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Methods []string `json:"methods"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this observation. - Title *string `json:"title,omitempty"` - Types []string `json:"types,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this observation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the observation can be used to reference the data item locally or - // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Links this observation to relevant evidence. -type RelevantEvidence struct { - // A human-readable description of this evidence. - Description string `json:"description"` - // A resolvable URL reference to relevant evidence. - Href *string `json:"href,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A human-oriented identifier reference to a resource. Use type to indicate whether the -// identified resource is a component, inventory item, location, user, or something else. -type IdentifiesTheSubject struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // The title or name for the referenced subject. - Title *string `json:"title,omitempty"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type string `json:"type"` -} - -// An identified risk. -type IdentifiedRisk struct { - Characterizations []Characterization `json:"characterizations,omitempty"` - // The date/time by which the risk must be resolved. - Deadline *time.Time `json:"deadline,omitempty"` - // A human-readable summary of the identified risk, to include a statement of how the risk - // impacts the system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` - Remediations []RiskResponse `json:"remediations,omitempty"` - // A log of all risk-related tasks taken. - RiskLog *RiskLog `json:"risk-log,omitempty"` - // An summary of impact for how the risk affects the system. - Statement string `json:"statement"` - Status string `json:"status"` - ThreatIDS []ThreatID `json:"threat-ids,omitempty"` - // The title for this risk. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk elsewhere in this or other OSCAL instances. The locally defined - // UUID of the risk can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A collection of descriptive data about the containing object from a specific origin. -type Characterization struct { - Facets []Facet `json:"facets"` - Links []LinkElement `json:"links,omitempty"` - Origin FindingOrigin `json:"origin"` - Props []Property `json:"props,omitempty"` -} - -// An individual characteristic that is part of a larger set produced by the same actor. -type Facet struct { - Links []LinkElement `json:"links,omitempty"` - // The name of the risk metric within the specified system. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Specifies the naming system under which this risk metric is organized, which allows for - // the same names to be used in different systems controlled by different parties. This - // avoids the potential of a name clash. - System string `json:"system"` - // Indicates the value of the facet. - Value string `json:"value"` -} - -// Describes an existing mitigating factor that may affect the overall determination of the -// risk, with an optional link to an implementation statement in the SSP. -type MitigatingFactor struct { - // A human-readable description of this mitigating factor. - Description string `json:"description"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this implementation statement elsewhere in this or other OSCAL instancess. - // The locally defined UUID of the implementation statement can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - ImplementationUUID *string `json:"implementation-uuid,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this mitigating factor elsewhere in this or other OSCAL instances. The - // locally defined UUID of the mitigating factor can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type RiskRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Describes either recommended or an actual plan for addressing the risk. -type RiskResponse struct { - // A human-readable description of this response plan. - Description string `json:"description"` - // Identifies whether this is a recommendation, such as from an assessor or tool, or an - // actual plan accepted by the system owner. - Lifecycle string `json:"lifecycle"` - Links []LinkElement `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The title for this response activity. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this remediation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk response can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an asset required to achieve remediation. -type RequiredAsset struct { - // A human-readable description of this required asset. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this required asset. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this required asset elsewhere in this or other OSCAL instances. The locally - // defined UUID of the asset can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all risk-related tasks taken. -type RiskLog struct { - Entries []RiskLogEntry `json:"entries"` -} - -// Identifies an individual risk response that occurred as part of managing an identified -// risk. -type RiskLogEntry struct { - // A human-readable description of what was done regarding the risk. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of the event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []LinkElement `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of the event. - Start time.Time `json:"start"` - StatusChange *string `json:"status-change,omitempty"` - // The title for this risk log entry. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual risk response that this log entry is for. -type RiskResponseReference struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique risk response. - ResponseUUID string `json:"response-uuid"` -} - -// A pointer, by ID, to an externally-defined threat. -type ThreatID struct { - // An optional location for the threat data, from which this ID originates. - Href *string `json:"href,omitempty"` - ID string `json:"id"` - // Specifies the source of the threat information. - System string `json:"system"` -} - -// A structured, organized collection of control information. -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []CatalogGroup `json:"groups,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Params []Parameter `json:"params,omitempty"` - // Provides a globally unique means to identify a given catalog instance. - UUID string `json:"uuid"` -} - -// A structured object representing a requirement or guideline, which when implemented will -// reduce an aspect of risk related to an information system and its information. -type Control struct { - // A textual label that provides a sub-type or characterization of the control. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - // Identifies a control such that it can be referenced in the defining catalog and other - // OSCAL instances (e.g., profiles). - ID string `json:"id"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. -type Parameter struct { - // A textual label that provides a characterization of the type, purpose, use or scope of - // the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // (deprecated) Another parameter invoking this one. This construct has been deprecated and - // should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A unique identifier for the parameter. - ID string `json:"id"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter. - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A formal or informal expression of a constraint or test. -type Constraint struct { - // A textual summary of the constraint to be applied. - Description *string `json:"description,omitempty"` - Tests []ConstraintTest `json:"tests,omitempty"` -} - -// A test expression which is expected to be evaluated by a tool. -type ConstraintTest struct { - // A formal (executable) expression of a constraint. - Expression string `json:"expression"` - Remarks *string `json:"remarks,omitempty"` -} - -// A prose statement that provides a recommendation for the use of a parameter. -type Guideline struct { - // Prose permits multiple paragraphs, lists, tables etc. - Prose string `json:"prose"` -} - -// Presenting a choice among alternatives. -type Selection struct { - Choice []string `json:"choice,omitempty"` - // Describes the number of selections that must occur. Without this setting, only one value - // should be assumed to be permitted. - HowMany *ParameterCardinality `json:"how-many,omitempty"` -} - -// A group of controls, or of groups of controls. -type CatalogGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []CatalogGroup `json:"groups,omitempty"` - // Identifies the group for the purpose of cross-linking within the defining instance or - // from other instances that reference the catalog. - ID *string `json:"id,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the group, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// A collection of component descriptions, which may optionally be grouped by capability. -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Capabilities []Capability `json:"capabilities,omitempty"` - Components []ComponentDefinitionComponent `json:"components,omitempty"` - ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - // Provides a globally unique means to identify a given component definition instance. - UUID string `json:"uuid"` -} - -// A grouping of other components and/or capabilities. -type Capability struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A summary of the capability. - Description string `json:"description"` - IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // The capability's human-readable name. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Provides a globally unique means to identify a given capability. - UUID string `json:"uuid"` -} - -// Defines how the component or capability supports a set of controls. -type ControlImplementationSet struct { - // A description of how the specified set of controls are implemented for the containing - // component or capability. - Description string `json:"description"` - ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol - // definition. - Source string `json:"source"` - // Provides a means to identify a set of control implementations that are supported by a - // given component or capability. - UUID string `json:"uuid"` -} - -// Describes how the containing component or capability implements an individual control. -type ImplementedRequirementElement struct { - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A suggestion from the supplier (e.g., component vendor or author) for how the specified - // control may be implemented if the containing component or capability is instantiated in a - // system security plan. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []ControlStatementImplementation `json:"statements,omitempty"` - // Provides a globally unique means to identify a given control implementation by a - // component. - UUID string `json:"uuid"` -} - -// Identifies the parameter that will be set by the enclosed value. -type SetParameterValue struct { - // A human-oriented reference to a parameter within a control, who's catalog has been - // imported into the current implementation context. - ParamID string `json:"param-id"` - Remarks *string `json:"remarks,omitempty"` - Values []string `json:"values"` -} - -// Identifies which statements within a control are addressed. -type ControlStatementImplementation struct { - // A summary of how the containing control statement is implemented by the component or - // capability. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// The collection of components comprising this capability. -type IncorporatesComponent struct { - // A machine-oriented identifier reference to a component. - ComponentUUID string `json:"component-uuid"` - // A description of the component, including information about its function. - Description string `json:"description"` -} - -// A defined component that can be part of an implemented system. -type ComponentDefinitionComponent struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A description of the component, including information about its function. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human readable name for the component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type string `json:"type"` - // Provides a globally unique means to identify a given component. - UUID string `json:"uuid"` -} - -// Loads a component definition from another resource. -type ImportComponentDefinition struct { - // A link to a resource that defines a set of components and/or capabilities to import into - // this collection. - Href string `json:"href"` -} - -// A plan of action and milestones which identifies initial and residual risks, deviations, -// and disposition, such as those required by FedRAMP. -type PlanOfActionAndMilestonesPOAM struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Findings []Finding `json:"findings,omitempty"` - ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Observations []Observation `json:"observations,omitempty"` - PoamItems []POAMItem `json:"poam-items"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - SystemID *SystemIdentification `json:"system-id,omitempty"` - // A machine-oriented, globally unique identifier with instancescope that can be used to - // reference this POA&M instance in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Allows components, and inventory-items to be defined within the POA&M for circumstances -// where no OSCAL-based SSP exists, or is not delivered with the POA&M. -type PlanOfActionAndMilestonesLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Describes an individual POA&M item. -type POAMItem struct { - // A human-readable description of POA&M item. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Origins []PoamItemOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedFindings []RelatedFinding `json:"related-findings,omitempty"` - RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for this POA&M item . - Title string `json:"title"` - // A machine-oriented, globally unique identifier with instance scope that can be used to - // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Identifies the source of the finding, such as a tool or person. -type PoamItemOrigin struct { - Actors []OriginatingActor `json:"actors"` -} - -// Relates the poam-item to referenced finding(s). -type RelatedFinding struct { - // A machine-oriented identifier reference to a finding defined in the list of findings. - FindingUUID string `json:"finding-uuid"` -} - -// Relates the poam-item to a set of referenced observations that were used to determine the -// finding. -type PoamItemRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type PoamItemRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// A human-oriented, globally unique identifier with cross-instance scope that can be used -// to reference this system identification property elsewhere in this or other OSCAL -// instances. When referencing an externally defined system identification, the system -// identification must be used in the context of the external / imported OSCAL instance -// (e.g., uri-reference). This string should be assigned per-subject, which means it should -// be consistently used to identify the same system across revisions of the document. -type SystemIdentification struct { - ID string `json:"id"` - // Identifies the identification system from which the provided identifier was assigned. - IdentifierType *string `json:"identifier-type,omitempty"` -} - -// Each OSCAL profile is defined by a profile element. -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Imports []ImportResource `json:"imports"` - Merge *MergeControls `json:"merge,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Modify *ModifyControls `json:"modify,omitempty"` - // Provides a globally unique means to identify a given profile instance. - UUID string `json:"uuid"` -} - -// Designates a referenced source catalog or profile that provides a source of control -// information for use in creating a new overlay or baseline. -type ImportResource struct { - ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` - // A resolvable URL reference to the base catalog or profile that this profile is tailoring. - Href string `json:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` -} - -// Select a control or controls from an imported control set. -type ImportExcludeControl struct { - Matching []MatchControlsByPattern `json:"matching,omitempty"` - // When a control is included, whether its child (dependent) controls are also included. - WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` - WithIDS []string `json:"with-ids,omitempty"` -} - -// Selecting a set of controls by matching their IDs with a wildcard pattern. -type MatchControlsByPattern struct { - // A glob expression matching the IDs of one or more controls to be selected. - Pattern *string `json:"pattern,omitempty"` -} - -// Provides structuring directives that instruct how controls are organized after profile -// resolution. -type MergeControls struct { - // Indicates that the controls selected should retain their original grouping as defined in - // the import source. - AsIs *bool `json:"as-is,omitempty"` - // A Combine element defines how to resolve duplicate instances of the same control (e.g., - // controls with the same ID). - Combine *CombinationRule `json:"combine,omitempty"` - // Provides an alternate grouping structure that selected controls will be placed in. - Custom *CustomGrouping `json:"custom,omitempty"` - // Directs that controls appear without any grouping structure. - Flat *FlatWithoutGrouping `json:"flat,omitempty"` -} - -// A Combine element defines how to resolve duplicate instances of the same control (e.g., -// controls with the same ID). -type CombinationRule struct { - // Declare how clashing controls should be handled. - Method *CombinationMethod `json:"method,omitempty"` -} - -// Provides an alternate grouping structure that selected controls will be placed in. -type CustomGrouping struct { - Groups []CustomGroup `json:"groups,omitempty"` - InsertControls []InsertControls `json:"insert-controls,omitempty"` -} - -// A group of (selected) controls or of groups of controls. -type CustomGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Groups []CustomGroup `json:"groups,omitempty"` - // Identifies the group. - ID *string `json:"id,omitempty"` - InsertControls []InsertControls `json:"insert-controls,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name to be given to the group for use in display. - Title string `json:"title"` -} - -// Specifies which controls to use in the containing context. -type InsertControls struct { - ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` - // A designation of how a selection of controls in a profile is to be ordered. - Order *Order `json:"order,omitempty"` -} - -// Directs that controls appear without any grouping structure. -type FlatWithoutGrouping struct { -} - -// Set parameters or amend controls in resolution. -type ModifyControls struct { - Alters []Alteration `json:"alters,omitempty"` - SetParameters []ParameterSetting `json:"set-parameters,omitempty"` -} - -// Specifies changes to be made to an included control when a profile is resolved. -type Alteration struct { - Adds []Addition `json:"adds,omitempty"` - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Removes []Removal `json:"removes,omitempty"` -} - -// Specifies contents to be added into controls, in resolution. -type Addition struct { - // Target location of the addition. - ByID *string `json:"by-id,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - // Where to add the new content with respect to the targeted element (beside it or inside - // it). - Position *Position `json:"position,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` -} - -// Specifies objects to be removed from a control based on specific aspects of the object -// that must all match. -type Removal struct { - // Identify items to remove by matching their class. - ByClass *string `json:"by-class,omitempty"` - // Identify items to remove indicated by their id. - ByID *string `json:"by-id,omitempty"` - // Identify items to remove by the name of the item's information object name, e.g. title or - // prop. - ByItemName *ItemNameReference `json:"by-item-name,omitempty"` - // Identify items remove by matching their assigned name. - ByName *string `json:"by-name,omitempty"` - // Identify items to remove by the item's ns, which is the namespace associated with a part, - // or prop. - ByNS *string `json:"by-ns,omitempty"` -} - -// A parameter setting, to be propagated to points of insertion. -type ParameterSetting struct { - // A textual label that provides a characterization of the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // **(deprecated)** Another parameter invoking this one. This construct has been deprecated - // and should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // An identifier for the parameter. - ParamID string `json:"param-id"` - Props []Property `json:"props,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter. - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A system security plan, such as those described in NIST SP 800-18. -type SystemSecurityPlanSSP struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ControlImplementation ControlImplementationClass `json:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile"` - Metadata DocumentMetadata `json:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. - // The locally defined UUID of the SSP can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes how the system satisfies a set of controls. -type ControlImplementationClass struct { - // A statement describing important things to know about how this set of control - // satisfaction documentation is approached. - Description string `json:"description"` - ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` -} - -// Describes how the system satisfies the requirements of an individual control. -type ControlBasedRequirement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []SpecificControlStatement `json:"statements,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control requirement elsewhere in this or other OSCAL instances. The - // locally defined UUID of the control requirement can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Defines how the referenced component implements a set of controls. -type ComponentControlImplementation struct { - // A machine-oriented identifier reference to the component that is implemeting a given - // control. - ComponentUUID string `json:"component-uuid"` - // An implementation statement that describes how a control or a control statement is - // implemented within the referenced system component. - Description string `json:"description"` - // Identifies content intended for external consumption, such as with leveraged - // organizations. - Export *Export `json:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Inherited []InheritedControlImplementation `json:"inherited,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this by-component entry elsewhere in this or other OSCAL instances. The - // locally defined UUID of the by-component entry can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies content intended for external consumption, such as with leveraged -// organizations. -type Export struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be available to another system leveraging this system. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Provided []ProvidedControlImplementation `json:"provided,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` -} - -// Describes a capability which may be inherited by a leveraging system. -type ProvidedControlImplementation struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be provided to another system leveraging this system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this provided entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the provided entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation responsibility imposed on a leveraging system. -type ControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that a leveraging system must implement to satisfy the control - // provided by a leveraged system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this responsibility elsewhere in this or other OSCAL instances. The locally - // defined UUID of the responsibility can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation inherited by a leveraging system. -type InheritedControlImplementation struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is inheriting from a leveraged system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inherited control implementation can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Describes how this system satisfies a responsibility imposed by a leveraged system. -type SatisfiedControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is implementing based on a requirement from a - // leveraged system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a control implementation that satisfies a - // responsibility imposed by a leveraged system. - ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this satisfied control implementation entry elsewhere in this or other OSCAL - // instances. The locally defined UUID of the control implementation can be used to - // reference the data item locally or globally (e.g., in an imported OSCAL instance). This - // UUID should be assigned per-subject, which means it should be consistently used to - // identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies which statements within a control are addressed. -type SpecificControlStatement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// Used to import the OSCAL profile representing the system's control baseline. -type ImportProfile struct { - // A resolvable URL reference to the profile or catalog to use as the system's control - // baseline. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Contains the characteristics of the system, such as its name, purpose, and security -// impact level. -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty"` - DateAuthorized *string `json:"date-authorized,omitempty"` - // A summary of the system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty"` - // The overall information system sensitivity categorization, such as defined by FIPS-199. - SecuritySensitivityLevel *string `json:"security-sensitivity-level,omitempty"` - Status SystemCharacteristicsStatus `json:"status"` - SystemIDS []SystemIdentification `json:"system-ids"` - SystemInformation SystemInformation `json:"system-information"` - // The full name of the system. - SystemName string `json:"system-name"` - // A short name for the system, such as an acronym, that is suitable for display in a data - // table or summary list. - SystemNameShort *string `json:"system-name-short,omitempty"` -} - -// A description of this system's authorization boundary, optionally supplemented by -// diagrams that illustrate the authorization boundary. -type AuthorizationBoundary struct { - // A summary of the system's authorization boundary. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A graphic that provides a visual representation the system, or some aspect of it. -type Diagram struct { - // A brief caption to annotate the diagram. - Caption *string `json:"caption,omitempty"` - // A summary of the diagram. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined - // UUID of the diagram can be used to reference the data item locally or globally (e.g., in - // an imported OSCAL instance). This UUID should be assigned per-subject, which means it - // should be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A description of the logical flow of information within the system and across its -// boundaries, optionally supplemented by diagrams that illustrate these flows. -type DataFlow struct { - // A summary of the system's data flow. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A description of the system's network architecture, optionally supplemented by diagrams -// that illustrate the network architecture. -type NetworkArchitecture struct { - // A summary of the system's network architecture. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// The overall level of expected impact resulting from unauthorized disclosure, -// modification, or loss of access to information. -type SecurityImpactLevel struct { - // A target-level of availability for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveAvailability string `json:"security-objective-availability"` - // A target-level of confidentiality for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` - // A target-level of integrity for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveIntegrity string `json:"security-objective-integrity"` -} - -// Describes the operational status of the system. -type SystemCharacteristicsStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The current operating status. - State FluffyState `json:"state"` -} - -// Contains details about all information types that are stored, processed, or transmitted -// by the system, such as privacy information, and those defined in NIST SP 800-60. -type SystemInformation struct { - InformationTypes []InformationType `json:"information-types"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` -} - -// Contains details about one information type that is stored, processed, or transmitted by -// the system, such as privacy information, and those defined in NIST SP 800-60. -type InformationType struct { - AvailabilityImpact *ImpactLevel `json:"availability-impact,omitempty"` - Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` - ConfidentialityImpact *ImpactLevel `json:"confidentiality-impact,omitempty"` - // A summary of how this information type is used within the system. - Description string `json:"description"` - IntegrityImpact *ImpactLevel `json:"integrity-impact,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A human readable name for the information type. This title should be meaningful within - // the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this information type elsewhere in this or other OSCAL instances. The - // locally defined UUID of the information type can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// The expected level of impact resulting from the described information. -type ImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// A set of information type identifiers qualified by the given identification system used, -// such as NIST SP 800-60. -type InformationTypeCategorization struct { - InformationTypeIDS []string `json:"information-type-ids,omitempty"` - // Specifies the information type identification system used. - System string `json:"system"` -} - -// Provides information as to how the system is implemented. -type SystemImplementation struct { - Components []AssessmentAssetsComponent `json:"components"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users"` -} - -// A description of another authorized system from which this system inherits capabilities -// that satisfy security requirements. Another term for this concept is a common control -// provider. -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized"` - Links []LinkElement `json:"links,omitempty"` - // A machine-oriented identifier reference to the party that manages the leveraged system. - PartyUUID string `json:"party-uuid"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human readable name for the leveraged authorization in the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope and can be used - // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The - // locally defined UUID of the leveraged authorization can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Indicates the transport type. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Transport string - -const ( - TCP Transport = "TCP" - UDP Transport = "UDP" -) - -// The operational status. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type PurpleState string - -const ( - PurpleDisposition PurpleState = "disposition" - PurpleOperational PurpleState = "operational" - PurpleOther PurpleState = "other" - PurpleUnderDevelopment PurpleState = "under-development" -) - -// A category describing the kind of party the object describes. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type PartyType string - -const ( - Organization PartyType = "organization" - Person PartyType = "person" -) - -// The unit of time for the period. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type TimeUnit string - -const ( - Days TimeUnit = "days" - Hours TimeUnit = "hours" - Minutes TimeUnit = "minutes" - Months TimeUnit = "months" - Seconds TimeUnit = "seconds" - Years TimeUnit = "years" -) - -// The kind of actor. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ActorType string - -const ( - AssessmentPlatform ActorType = "assessment-platform" - Party ActorType = "party" - Tool ActorType = "tool" -) - -// An indication as to whether the objective is satisfied or not. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ObjectiveStatusState string - -const ( - NotSatisfied ObjectiveStatusState = "not-satisfied" - Satisfied ObjectiveStatusState = "satisfied" -) - -// Identifies the type of the target. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type FindingTargetType string - -const ( - ObjectiveID FindingTargetType = "objective-id" - StatementID FindingTargetType = "statement-id" -) - -// Describes the number of selections that must occur. Without this setting, only one value -// should be assumed to be permitted. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ParameterCardinality string - -const ( - One ParameterCardinality = "one" - OneOrMore ParameterCardinality = "one-or-more" -) - -// When a control is included, whether its child (dependent) controls are also included. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type IncludeContainedControlsWithControl string - -const ( - No IncludeContainedControlsWithControl = "no" - Yes IncludeContainedControlsWithControl = "yes" -) - -// Declare how clashing controls should be handled. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type CombinationMethod string - -const ( - CombinationMethodKeep CombinationMethod = "keep" - Merge CombinationMethod = "merge" - UseFirst CombinationMethod = "use-first" -) - -// A designation of how a selection of controls in a profile is to be ordered. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Order string - -const ( - Ascending Order = "ascending" - Descending Order = "descending" - OrderKeep Order = "keep" -) - -// Where to add the new content with respect to the targeted element (beside it or inside -// it). -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Position string - -const ( - After Position = "after" - Before Position = "before" - Ending Position = "ending" - Starting Position = "starting" -) - -// Identify items to remove by the name of the item's information object name, e.g. title or -// prop. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ItemNameReference string - -const ( - Link ItemNameReference = "link" - Map ItemNameReference = "map" - Mapping ItemNameReference = "mapping" - Param ItemNameReference = "param" - Part ItemNameReference = "part" - Prop ItemNameReference = "prop" -) - -// The current operating status. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type FluffyState string - -const ( - FluffyDisposition FluffyState = "disposition" - FluffyOperational FluffyState = "operational" - FluffyOther FluffyState = "other" - FluffyUnderDevelopment FluffyState = "under-development" - UnderMajorModification FluffyState = "under-major-modification" -) diff --git a/src/types/quicktype/oscal-1-1-1/types.go b/src/types/quicktype/oscal-1-1-1/types.go deleted file mode 100644 index f8cfb373..00000000 --- a/src/types/quicktype/oscal-1-1-1/types.go +++ /dev/null @@ -1,3754 +0,0 @@ -// This file was generated from JSON Schema using quicktype, do not modify it directly. -// To parse and unparse this JSON data, add this code to your project and do: -// -// oscalModels, err := UnmarshalOscalModels(bytes) -// bytes, err = oscalModels.Marshal() - -package oscalTypes_1_1_1 - -import "time" - -import "encoding/json" - -func UnmarshalOscalModels(data []byte) (OscalModels, error) { - var r OscalModels - err := json.Unmarshal(data, &r) - return r, err -} - -func (r *OscalModels) Marshal() ([]byte, error) { - return json.Marshal(r) -} - -type OscalModels struct { - Schema *string `json:"$schema,omitempty"` - Catalog *Catalog `json:"catalog,omitempty"` - Profile *Profile `json:"profile,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` - SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` - AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` - AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` -} - -// An assessment plan, such as those provided by a FedRAMP assessor. -type SecurityAssessmentPlanSAP struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Tasks []Task `json:"tasks,omitempty"` - // Used to define various terms and conditions under which an assessment, described by the - // plan, can be performed. Each child part defines a different type of term or condition. - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment plan in this or other OSCAL instances. The locally defined - // UUID of the assessment plan can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Identifies the assets used to perform this assessment, such as the assessment team, -// scanning tools, and assumptions. -type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` -} - -// Used to represent the toolset used to perform aspects of the assessment. -type AssessmentPlatformElement struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for the assessment platform. - Title *string `json:"title,omitempty"` - UsesComponents []UsesComponent `json:"uses-components,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment platform elsewhere in this or other OSCAL instances. The - // locally defined UUID of the assessment platform can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A reference to a local or remote resource, that has a specific relation to the containing -// object. -type LinkElement struct { - // A resolvable URL reference to a resource. - Href string `json:"href"` - // A label that indicates the nature of a resource, as a data serialization or format. - MediaType *string `json:"media-type,omitempty"` - // Describes the type of relationship provided by the link's hypertext reference. This can - // be an indicator of the link's purpose. - Rel *string `json:"rel,omitempty"` - // In case where the href points to a back-matter/resource, this value will indicate the URI - // fragment to append to any rlink associated with the resource. This value MUST be URI - // encoded. - ResourceFragment *string `json:"resource-fragment,omitempty"` - // A textual label to associate with the link, which may be used for presentation in a tool. - Text *string `json:"text,omitempty"` -} - -// An attribute, characteristic, or quality of the containing object expressed as a -// namespace qualified name/value pair. -type Property struct { - // A textual label that provides a sub-type or characterization of the property's name. - Class *string `json:"class,omitempty"` - // An identifier for relating distinct sets of properties. - Group *string `json:"group,omitempty"` - // A textual label, within a namespace, that uniquely identifies a specific attribute, - // characteristic, or quality of the property's containing object. - Name string `json:"name"` - // A namespace qualifying the property's name. This allows different organizations to - // associate distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A unique identifier for a property. - UUID *string `json:"uuid,omitempty"` - // Indicates the value of the attribute, characteristic, or quality. - Value string `json:"value"` -} - -// The set of components that are used by the assessment platform. -type UsesComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A reference to a set of persons and/or organizations that have responsibility for -// performing the referenced role in the context of the containing object. -type ResponsibleParty struct { - Links []LinkElement `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A reference to a role performed by a party. - RoleID string `json:"role-id"` -} - -// A defined component that can be part of an implemented system. -type AssessmentAssetsComponent struct { - // A description of the component, including information about its function. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // Describes the operational status of the system component. - Status ComponentStatus `json:"status"` - // A human readable name for the system component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component elsewhere in this or other OSCAL instances. The locally - // defined UUID of the component can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Information about the protocol used to provide a service. -type ServiceProtocolInformation struct { - // The common name of the protocol, which should be the appropriate "service name" from the - // IANA Service Name and Transport Protocol Port Number Registry. - Name string `json:"name"` - PortRanges []PortRange `json:"port-ranges,omitempty"` - // A human readable name for the protocol (e.g., Transport Layer Security). - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this service protocol information elsewhere in this or other OSCAL - // instances. The locally defined UUID of the service protocol can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Where applicable this is the IPv4 port range on which the service operates. -type PortRange struct { - // Indicates the ending port number in a port range - End *int64 `json:"end,omitempty"` - // Indicates the starting port number in a port range - Start *int64 `json:"start,omitempty"` - // Indicates the transport type. - Transport *Transport `json:"transport,omitempty"` -} - -// A reference to a role with responsibility for performing a function relative to the -// containing object, optionally associated with a set of persons and/or organizations that -// perform that role. -type ResponsibleRole struct { - Links []LinkElement `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human-oriented identifier reference to a role performed. - RoleID string `json:"role-id"` -} - -// Describes the operational status of the system component. -type ComponentStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The operational status. - State PurpleState `json:"state"` -} - -// Identifies system elements being assessed, such as components, inventory items, and -// locations. In the assessment plan, this identifies a planned assessment subject. In the -// assessment results this is an actual assessment subject, and reflects any changes from -// the plan. exactly what will be the focus of this assessment. Any subjects not identified -// in this way are out-of-scope. -type SubjectOfAssessment struct { - // A human-readable description of the collection of subjects being included in this - // assessment. - Description *string `json:"description,omitempty"` - ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Indicates the type of assessment subject, such as a component, inventory, item, location, - // or party represented by this selection statement. - Type string `json:"type"` -} - -// Identifies a set of assessment subjects to include/exclude by UUID. -type SelectAssessmentSubject struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type string `json:"type"` -} - -// Include all controls from the imported catalog or profile resources. -type IncludeAll struct { -} - -// A collection of resources that may be referenced from within the OSCAL document instance. -type BackMatter struct { - Resources []Resource `json:"resources,omitempty"` -} - -// A resource associated with content in the containing document instance. A resource may be -// directly included in the document using base64 encoding or may point to one or more -// equivalent internet resources. -type Resource struct { - // A resource encoded using the Base64 alphabet defined by RFC 2045. - Base64 *Base64 `json:"base64,omitempty"` - // An optional citation consisting of end note text using structured markup. - Citation *Citation `json:"citation,omitempty"` - // An optional short summary of the resource used to indicate the purpose of the resource. - Description *string `json:"description,omitempty"` - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Rlinks []ResourceLink `json:"rlinks,omitempty"` - // An optional name given to the resource, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` - // A unique identifier for a resource. - UUID string `json:"uuid"` -} - -// A resource encoded using the Base64 alphabet defined by RFC 2045. -type Base64 struct { - // Name of the file before it was encoded as Base64 to be embedded in a resource. This is - // the name that will be assigned to the file when the file is decoded. - Filename *string `json:"filename,omitempty"` - // A label that indicates the nature of a resource, as a data serialization or format. - MediaType *string `json:"media-type,omitempty"` - Value string `json:"value"` -} - -// An optional citation consisting of end note text using structured markup. -type Citation struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A line of citation text. - Text string `json:"text"` -} - -// A document identifier qualified by an identifier scheme. -type DocumentIdentifier struct { - Identifier string `json:"identifier"` - // Qualifies the kind of document identifier using a URI. If the scheme is not provided the - // value of the element will be interpreted as a string of characters. - Scheme *string `json:"scheme,omitempty"` -} - -// A URL-based pointer to an external resource with an optional hash for verification and -// change detection. -type ResourceLink struct { - Hashes []Hash `json:"hashes,omitempty"` - // A resolvable URL pointing to the referenced resource. - Href string `json:"href"` - // A label that indicates the nature of a resource, as a data serialization or format. - MediaType *string `json:"media-type,omitempty"` -} - -// A representation of a cryptographic digest generated over a resource using a specified -// hash algorithm. -type Hash struct { - // The digest method by which a hash is derived. - Algorithm string `json:"algorithm"` - Value string `json:"value"` -} - -// Used by the assessment plan and POA&M to import information about the system. -type ImportSystemSecurityPlan struct { - // A resolvable URL reference to the system security plan for the system being assessed. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentPlanLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Identifies an assessment or related process that can be performed. In the assessment -// plan, this is an intended activity which may be associated with an assessment task. In -// the assessment results, this an activity that was actually performed as part of an -// assessment. -type Activity struct { - // A human-readable description of this included activity. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Steps []Step `json:"steps,omitempty"` - // The title for this included activity. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment activity elsewhere in this or other OSCAL instances. The - // locally defined UUID of the activity can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies the controls being assessed and their control objectives. -type ReviewedControlsAndControlObjectives struct { - ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections"` - // A human-readable description of control objectives. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Identifies the control objectives of the assessment. In the assessment plan, these are -// the planned objectives. In the assessment results, these are the assessed objectives, and -// reflects any changes from the plan. -type ReferencedControlObjectives struct { - // A human-readable description of this collection of control objectives. - Description *string `json:"description,omitempty"` - ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control objective for inclusion/exclusion based on the control -// objective's identifier. -type SelectObjective struct { - // Points to an assessment objective. - ObjectiveID string `json:"objective-id"` -} - -// Identifies the controls being assessed. In the assessment plan, these are the planned -// controls. In the assessment results, these are the actual controls, and reflects any -// changes from the plan. -type AssessedControls struct { - // A human-readable description of in-scope controls specified for assessment. - Description *string `json:"description,omitempty"` - ExcludeControls []ControlSelectionExcludeControl `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []ControlSelectionExcludeControl `json:"include-controls,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control for inclusion/exclusion based on one or more control -// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion -// to only specific control statements providing more granularity over the specific -// statements that are within the asessment scope. -type ControlSelectionExcludeControl struct { - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - StatementIDS []string `json:"statement-ids,omitempty"` -} - -// Identifies an individual step in a series of steps related to an activity, such as an -// assessment test or examination procedure. -type Step struct { - // A human-readable description of this step. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` - // The title for this step. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this step elsewhere in this or other OSCAL instances. The locally defined - // UUID of the step (in a series of steps) can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// A single managed inventory item within the system. -type InventoryItem struct { - // A summary of the inventory item stating its purpose within the system. - Description string `json:"description"` - ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inventory item elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inventory item can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// The set of components that are implemented in a given system inventory item. -type ImplementedComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A local definition of a control objective for this assessment. Uses catalog syntax for -// control objective and assessment actions. -type AssessmentSpecificControlObjective struct { - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A human-readable description of this control objective. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Parts []PartElement `json:"parts"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// An annotated, markup-based textual element of a control's or catalog group's definition, -// or a child of another part. -type PartElement struct { - // An optional textual providing a sub-type or characterization of the part's name, or a - // category to which the part belongs. - Class *string `json:"class,omitempty"` - // A unique identifier for the part. - ID *string `json:"id,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type, which exists in a - // value space qualified by the ns. - Name string `json:"name"` - // An optional namespace qualifying the part's name. This allows different organizations to - // associate distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // An optional name given to the part, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` -} - -// A type of user that interacts with the system based on an associated role. -type SystemUser struct { - AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` - // A summary of the user's purpose within the system. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RoleIDS []string `json:"role-ids,omitempty"` - // A short common name, abbreviation, or acronym for the user. - ShortName *string `json:"short-name,omitempty"` - // A name given to the user, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this user class elsewhere in this or other OSCAL instances. The locally - // defined UUID of the system user can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies a specific system privilege held by the user, along with an associated -// description and/or rationale for the privilege. -type Privilege struct { - // A summary of the privilege's purpose within the system. - Description *string `json:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed"` - // A human readable name for the privilege. - Title string `json:"title"` -} - -// Provides information about the containing document, and defines concepts that are shared -// across the document. -type DocumentMetadata struct { - Actions []Action `json:"actions,omitempty"` - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified"` - Links []LinkElement `json:"links,omitempty"` - Locations []Location `json:"locations,omitempty"` - OscalVersion string `json:"oscal-version"` - Parties []PartyElement `json:"parties,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` - Roles []Role `json:"roles,omitempty"` - // A name given to the document, which may be used by a tool for display and navigation. - Title string `json:"title"` - Version string `json:"version"` -} - -// An action applied by a role within a given party to the content. -type Action struct { - // The date and time when the action occurred. - Date *time.Time `json:"date,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - // Specifies the action type system used. - System string `json:"system"` - // The type of action documented by the assembly, such as an approval. - Type string `json:"type"` - // A unique identifier that can be used to reference this defined action elsewhere in an - // OSCAL document. A UUID should be consistently used for a given location across revisions - // of the document. - UUID string `json:"uuid"` -} - -// A physical point of presence, which may be associated with people, organizations, or -// other concepts within the current or linked OSCAL document. -type Location struct { - Address *Address `json:"address,omitempty"` - EmailAddresses []string `json:"email-addresses,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A name given to the location, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - Urls []string `json:"urls,omitempty"` - // A unique ID for the location, for reference. - UUID string `json:"uuid"` -} - -// A postal address for the location. -type Address struct { - AddrLines []string `json:"addr-lines,omitempty"` - // City, town or geographical region for the mailing address. - City *string `json:"city,omitempty"` - // The ISO 3166-1 alpha-2 country code for the mailing address. - Country *string `json:"country,omitempty"` - // Postal or ZIP code for mailing address. - PostalCode *string `json:"postal-code,omitempty"` - // State, province or analogous geographical region for a mailing address. - State *string `json:"state,omitempty"` - // Indicates the type of address. - Type *string `json:"type,omitempty"` -} - -// A telephone service number as defined by ITU-T E.164. -type TelephoneNumber struct { - Number string `json:"number"` - // Indicates the type of phone number. - Type *string `json:"type,omitempty"` -} - -// An organization or person, which may be associated with roles or other concepts within -// the current or linked OSCAL document. -type PartyElement struct { - Addresses []Address `json:"addresses,omitempty"` - EmailAddresses []string `json:"email-addresses,omitempty"` - ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` - Links []LinkElement `json:"links,omitempty"` - LocationUuids []string `json:"location-uuids,omitempty"` - MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` - // The full name of the party. This is typically the legal name associated with the party. - Name *string `json:"name,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the party. - ShortName *string `json:"short-name,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A category describing the kind of party the object describes. - Type PartyType `json:"type"` - // A unique identifier for the party. - UUID string `json:"uuid"` -} - -// An identifier for a person or organization using a designated scheme. e.g. an Open -// Researcher and Contributor ID (ORCID). -type PartyExternalIdentifier struct { - ID string `json:"id"` - // Indicates the type of external identifier. - Scheme string `json:"scheme"` -} - -// An entry in a sequential list of revisions to the containing document, expected to be in -// reverse chronological order (i.e. latest first). -type RevisionHistoryEntry struct { - LastModified *time.Time `json:"last-modified,omitempty"` - Links []LinkElement `json:"links,omitempty"` - OscalVersion *string `json:"oscal-version,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A name given to the document revision, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` - Version string `json:"version"` -} - -// Defines a function, which might be assigned to a party in a specific situation. -type Role struct { - // A summary of the role's purpose and associated responsibilities. - Description *string `json:"description,omitempty"` - // A unique identifier for the role. - ID string `json:"id"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the role. - ShortName *string `json:"short-name,omitempty"` - // A name given to the role, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Represents a scheduled event or milestone, which may be associated with a series of -// assessment actions. -type Task struct { - AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` - Dependencies []TaskDependency `json:"dependencies,omitempty"` - // A human-readable description of this task. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The timing under which the task is intended to occur. - Timing *EventTiming `json:"timing,omitempty"` - // The title for this task. - Title string `json:"title"` - // The type of task. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this task elsewhere in this or other OSCAL instances. The locally defined - // UUID of the task can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual activity to be performed as part of a task. -type AssociatedActivity struct { - // A machine-oriented identifier reference to an activity defined in the list of activities. - ActivityUUID string `json:"activity-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// Used to indicate that a task is dependent on another task. -type TaskDependency struct { - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// The timing under which the task is intended to occur. -type EventTiming struct { - // The task is intended to occur at the specified frequency. - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` - // The task is intended to occur on the specified date. - OnDate *OnDateCondition `json:"on-date,omitempty"` - // The task is intended to occur within the specified date range. - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` -} - -// The task is intended to occur at the specified frequency. -type FrequencyCondition struct { - // The task must occur after the specified period has elapsed. - Period int64 `json:"period"` - // The unit of time for the period. - Unit TimeUnit `json:"unit"` -} - -// The task is intended to occur on the specified date. -type OnDateCondition struct { - // The task must occur on the specified date. - Date time.Time `json:"date"` -} - -// The task is intended to occur within the specified date range. -type OnDateRangeCondition struct { - // The task must occur on or before the specified date. - End time.Time `json:"end"` - // The task must occur on or after the specified date. - Start time.Time `json:"start"` -} - -// Used to define various terms and conditions under which an assessment, described by the -// plan, can be performed. Each child part defines a different type of term or condition. -type AssessmentPlanTermsAndConditions struct { - Parts []AssessmentPart `json:"parts,omitempty"` -} - -// A partition of an assessment plan or results or a child of another part. -type AssessmentPart struct { - // A textual label that provides a sub-type or characterization of the part's name. This can - // be used to further distinguish or discriminate between the semantics of multiple parts of - // the same control with the same name and ns. - Class *string `json:"class,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type. - Name string `json:"name"` - // A namespace qualifying the part's name. This allows different organizations to associate - // distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []AssessmentPart `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // A name given to the part, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this part elsewhere in this or other OSCAL instances. The locally defined - // UUID of the part can be used to reference the data item locally or globally (e.g., in an - // ported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP -// Security Assessment Report. -type SecurityAssessmentResultsSAR struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportAp ImportAssessmentPlan `json:"import-ap"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Results []AssessmentResult `json:"results"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment results instance in this or other OSCAL instances. The - // locally defined UUID of the assessment result can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Used by assessment-results to import information about the original plan for assessing -// the system. -type ImportAssessmentPlan struct { - // A resolvable URL reference to the assessment plan governing the assessment activities. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentResultsLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used by the assessment results and POA&M. In the assessment results, this identifies all -// of the assessment observations and findings, initial and residual risks, deviations, and -// disposition. In the POA&M, this identifies initial and residual risks, deviations, and -// disposition. -type AssessmentResult struct { - // A log of all assessment-related actions taken. - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` - Attestations []AttestationStatements `json:"attestations,omitempty"` - // A human-readable description of this set of test results. - Description string `json:"description"` - // Date/time stamp identifying the end of the evidence collection reflected in these - // results. In a continuous motoring scenario, this may contain the same value as start if - // appropriate. - End *time.Time `json:"end,omitempty"` - Findings []Finding `json:"findings,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` - Observations []Observation `json:"observations,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - // Date/time stamp identifying the start of the evidence collection reflected in these - // results. - Start time.Time `json:"start"` - // The title for this set of results. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this set of results in this or other OSCAL instances. The locally defined - // UUID of the assessment result can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all assessment-related actions taken. -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries"` -} - -// Identifies the result of an action and/or task that occurred as part of executing an -// assessment plan or an assessment event that occurred in producing the assessment results. -type AssessmentLogEntry struct { - // A human-readable description of this event. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of an event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []LinkElement `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of an event. - Start time.Time `json:"start"` - // The title for this event. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference an assessment event in this or other OSCAL instances. The locally defined - // UUID of the assessment log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Used to indicate who created a log entry in what role. -type LoggedBy struct { - // A machine-oriented identifier reference to the party who is making the log entry. - PartyUUID string `json:"party-uuid"` - // A point to the role-id of the role in which the party is making the log entry. - RoleID *string `json:"role-id,omitempty"` -} - -// Identifies an individual task for which the containing object is a consequence of. -type TaskReference struct { - // Used to detail assessment subjects that were identfied by this task. - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// Used to detail assessment subjects that were identfied by this task. -type IdentifiedSubject struct { - // A machine-oriented identifier reference to a unique assessment subject placeholder - // defined by this task. - SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// A set of textual statements, typically written by the assessor. -type AttestationStatements struct { - Parts []AssessmentPart `json:"parts"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// Describes an individual finding. -type Finding struct { - // A human-readable description of this finding. - Description string `json:"description"` - // A machine-oriented identifier reference to the implementation statement in the SSP to - // which this finding is related. - ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Target TargetClass `json:"target"` - // The title for this finding. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this finding in this or other OSCAL instances. The locally defined UUID of - // the finding can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies the source of the finding, such as a tool, interviewed person, or activity. -type FindingOrigin struct { - Actors []OriginatingActor `json:"actors"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` -} - -// The actor that produces an observation, a finding, or a risk. One or more actor type can -// be used to specify a person that is using a tool. -type OriginatingActor struct { - // A machine-oriented identifier reference to the tool or person based on the associated - // type. - ActorUUID string `json:"actor-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // For a party, this can optionally be used to specify the role the actor was performing. - RoleID *string `json:"role-id,omitempty"` - // The kind of actor. - Type ActorType `json:"type"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type FindingRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type FindingRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// Captures an assessor's conclusions regarding the degree to which an objective is -// satisfied. -type TargetClass struct { - // A human-readable description of the assessor's conclusions regarding the degree to which - // an objective is satisfied. - Description *string `json:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A determination of if the objective is satisfied or not within a given system. - Status StatusClass `json:"status"` - // A machine-oriented identifier reference for a specific target qualified by the type. - TargetID string `json:"target-id"` - // The title for this objective status. - Title *string `json:"title,omitempty"` - // Identifies the type of the target. - Type FindingTargetType `json:"type"` -} - -// Indicates the degree to which the a given control is implemented. -type ImplementationStatus struct { - Remarks *string `json:"remarks,omitempty"` - // Identifies the implementation status of the control or control objective. - State string `json:"state"` -} - -// A determination of if the objective is satisfied or not within a given system. -type StatusClass struct { - // The reason the objective was given it's status. - Reason *string `json:"reason,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // An indication as to whether the objective is satisfied or not. - State ObjectiveStatusState `json:"state"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type ResultLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Describes an individual observation. -type Observation struct { - // Date/time stamp identifying when the finding information was collected. - Collected time.Time `json:"collected"` - // A human-readable description of this assessment observation. - Description string `json:"description"` - // Date/time identifying when the finding information is out-of-date and no longer valid. - // Typically used with continuous assessment scenarios. - Expires *time.Time `json:"expires,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Methods []string `json:"methods"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this observation. - Title *string `json:"title,omitempty"` - Types []string `json:"types,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this observation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the observation can be used to reference the data item locally or - // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Links this observation to relevant evidence. -type RelevantEvidence struct { - // A human-readable description of this evidence. - Description string `json:"description"` - // A resolvable URL reference to relevant evidence. - Href *string `json:"href,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A human-oriented identifier reference to a resource. Use type to indicate whether the -// identified resource is a component, inventory item, location, user, or something else. -type IdentifiesTheSubject struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // The title or name for the referenced subject. - Title *string `json:"title,omitempty"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type string `json:"type"` -} - -// An identified risk. -type IdentifiedRisk struct { - Characterizations []Characterization `json:"characterizations,omitempty"` - // The date/time by which the risk must be resolved. - Deadline *time.Time `json:"deadline,omitempty"` - // A human-readable summary of the identified risk, to include a statement of how the risk - // impacts the system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` - Remediations []RiskResponse `json:"remediations,omitempty"` - // A log of all risk-related tasks taken. - RiskLog *RiskLog `json:"risk-log,omitempty"` - // An summary of impact for how the risk affects the system. - Statement string `json:"statement"` - Status string `json:"status"` - ThreatIDS []ThreatID `json:"threat-ids,omitempty"` - // The title for this risk. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk elsewhere in this or other OSCAL instances. The locally defined - // UUID of the risk can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A collection of descriptive data about the containing object from a specific origin. -type Characterization struct { - Facets []Facet `json:"facets"` - Links []LinkElement `json:"links,omitempty"` - Origin FindingOrigin `json:"origin"` - Props []Property `json:"props,omitempty"` -} - -// An individual characteristic that is part of a larger set produced by the same actor. -type Facet struct { - Links []LinkElement `json:"links,omitempty"` - // The name of the risk metric within the specified system. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Specifies the naming system under which this risk metric is organized, which allows for - // the same names to be used in different systems controlled by different parties. This - // avoids the potential of a name clash. - System string `json:"system"` - // Indicates the value of the facet. - Value string `json:"value"` -} - -// Describes an existing mitigating factor that may affect the overall determination of the -// risk, with an optional link to an implementation statement in the SSP. -type MitigatingFactor struct { - // A human-readable description of this mitigating factor. - Description string `json:"description"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this implementation statement elsewhere in this or other OSCAL instancess. - // The locally defined UUID of the implementation statement can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - ImplementationUUID *string `json:"implementation-uuid,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this mitigating factor elsewhere in this or other OSCAL instances. The - // locally defined UUID of the mitigating factor can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type RiskRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Describes either recommended or an actual plan for addressing the risk. -type RiskResponse struct { - // A human-readable description of this response plan. - Description string `json:"description"` - // Identifies whether this is a recommendation, such as from an assessor or tool, or an - // actual plan accepted by the system owner. - Lifecycle string `json:"lifecycle"` - Links []LinkElement `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The title for this response activity. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this remediation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk response can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an asset required to achieve remediation. -type RequiredAsset struct { - // A human-readable description of this required asset. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this required asset. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this required asset elsewhere in this or other OSCAL instances. The locally - // defined UUID of the asset can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all risk-related tasks taken. -type RiskLog struct { - Entries []RiskLogEntry `json:"entries"` -} - -// Identifies an individual risk response that occurred as part of managing an identified -// risk. -type RiskLogEntry struct { - // A human-readable description of what was done regarding the risk. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of the event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []LinkElement `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of the event. - Start time.Time `json:"start"` - StatusChange *string `json:"status-change,omitempty"` - // The title for this risk log entry. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual risk response that this log entry is for. -type RiskResponseReference struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique risk response. - ResponseUUID string `json:"response-uuid"` -} - -// A pointer, by ID, to an externally-defined threat. -type ThreatID struct { - // An optional location for the threat data, from which this ID originates. - Href *string `json:"href,omitempty"` - ID string `json:"id"` - // Specifies the source of the threat information. - System string `json:"system"` -} - -// A structured, organized collection of control information. -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []CatalogGroup `json:"groups,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Params []Parameter `json:"params,omitempty"` - // Provides a globally unique means to identify a given catalog instance. - UUID string `json:"uuid"` -} - -// A structured object representing a requirement or guideline, which when implemented will -// reduce an aspect of risk related to an information system and its information. -type Control struct { - // A textual label that provides a sub-type or characterization of the control. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - // Identifies a control such that it can be referenced in the defining catalog and other - // OSCAL instances (e.g., profiles). - ID string `json:"id"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. -type Parameter struct { - // A textual label that provides a characterization of the type, purpose, use or scope of - // the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // (deprecated) Another parameter invoking this one. This construct has been deprecated and - // should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A unique identifier for the parameter. - ID string `json:"id"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter. - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A formal or informal expression of a constraint or test. -type Constraint struct { - // A textual summary of the constraint to be applied. - Description *string `json:"description,omitempty"` - Tests []ConstraintTest `json:"tests,omitempty"` -} - -// A test expression which is expected to be evaluated by a tool. -type ConstraintTest struct { - // A formal (executable) expression of a constraint. - Expression string `json:"expression"` - Remarks *string `json:"remarks,omitempty"` -} - -// A prose statement that provides a recommendation for the use of a parameter. -type Guideline struct { - // Prose permits multiple paragraphs, lists, tables etc. - Prose string `json:"prose"` -} - -// Presenting a choice among alternatives. -type Selection struct { - Choice []string `json:"choice,omitempty"` - // Describes the number of selections that must occur. Without this setting, only one value - // should be assumed to be permitted. - HowMany *ParameterCardinality `json:"how-many,omitempty"` -} - -// A group of controls, or of groups of controls. -type CatalogGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []CatalogGroup `json:"groups,omitempty"` - // Identifies the group for the purpose of cross-linking within the defining instance or - // from other instances that reference the catalog. - ID *string `json:"id,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the group, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// A collection of component descriptions, which may optionally be grouped by capability. -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Capabilities []Capability `json:"capabilities,omitempty"` - Components []ComponentDefinitionComponent `json:"components,omitempty"` - ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - // Provides a globally unique means to identify a given component definition instance. - UUID string `json:"uuid"` -} - -// A grouping of other components and/or capabilities. -type Capability struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A summary of the capability. - Description string `json:"description"` - IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // The capability's human-readable name. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Provides a globally unique means to identify a given capability. - UUID string `json:"uuid"` -} - -// Defines how the component or capability supports a set of controls. -type ControlImplementationSet struct { - // A description of how the specified set of controls are implemented for the containing - // component or capability. - Description string `json:"description"` - ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol - // definition. - Source string `json:"source"` - // Provides a means to identify a set of control implementations that are supported by a - // given component or capability. - UUID string `json:"uuid"` -} - -// Describes how the containing component or capability implements an individual control. -type ImplementedRequirementElement struct { - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A suggestion from the supplier (e.g., component vendor or author) for how the specified - // control may be implemented if the containing component or capability is instantiated in a - // system security plan. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []ControlStatementImplementation `json:"statements,omitempty"` - // Provides a globally unique means to identify a given control implementation by a - // component. - UUID string `json:"uuid"` -} - -// Identifies the parameter that will be set by the enclosed value. -type SetParameterValue struct { - // A human-oriented reference to a parameter within a control, who's catalog has been - // imported into the current implementation context. - ParamID string `json:"param-id"` - Remarks *string `json:"remarks,omitempty"` - Values []string `json:"values"` -} - -// Identifies which statements within a control are addressed. -type ControlStatementImplementation struct { - // A summary of how the containing control statement is implemented by the component or - // capability. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// The collection of components comprising this capability. -type IncorporatesComponent struct { - // A machine-oriented identifier reference to a component. - ComponentUUID string `json:"component-uuid"` - // A description of the component, including information about its function. - Description string `json:"description"` -} - -// A defined component that can be part of an implemented system. -type ComponentDefinitionComponent struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A description of the component, including information about its function. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human readable name for the component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type string `json:"type"` - // Provides a globally unique means to identify a given component. - UUID string `json:"uuid"` -} - -// Loads a component definition from another resource. -type ImportComponentDefinition struct { - // A link to a resource that defines a set of components and/or capabilities to import into - // this collection. - Href string `json:"href"` -} - -// A plan of action and milestones which identifies initial and residual risks, deviations, -// and disposition, such as those required by FedRAMP. -type PlanOfActionAndMilestonesPOAM struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Findings []Finding `json:"findings,omitempty"` - ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Observations []Observation `json:"observations,omitempty"` - PoamItems []POAMItem `json:"poam-items"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - SystemID *SystemIdentification `json:"system-id,omitempty"` - // A machine-oriented, globally unique identifier with instancescope that can be used to - // reference this POA&M instance in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Allows components, and inventory-items to be defined within the POA&M for circumstances -// where no OSCAL-based SSP exists, or is not delivered with the POA&M. -type PlanOfActionAndMilestonesLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Describes an individual POA&M item. -type POAMItem struct { - // A human-readable description of POA&M item. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Origins []PoamItemOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedFindings []RelatedFinding `json:"related-findings,omitempty"` - RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for this POA&M item . - Title string `json:"title"` - // A machine-oriented, globally unique identifier with instance scope that can be used to - // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Identifies the source of the finding, such as a tool or person. -type PoamItemOrigin struct { - Actors []OriginatingActor `json:"actors"` -} - -// Relates the poam-item to referenced finding(s). -type RelatedFinding struct { - // A machine-oriented identifier reference to a finding defined in the list of findings. - FindingUUID string `json:"finding-uuid"` -} - -// Relates the poam-item to a set of referenced observations that were used to determine the -// finding. -type PoamItemRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type PoamItemRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// A human-oriented, globally unique identifier with cross-instance scope that can be used -// to reference this system identification property elsewhere in this or other OSCAL -// instances. When referencing an externally defined system identification, the system -// identification must be used in the context of the external / imported OSCAL instance -// (e.g., uri-reference). This string should be assigned per-subject, which means it should -// be consistently used to identify the same system across revisions of the document. -type SystemIdentification struct { - ID string `json:"id"` - // Identifies the identification system from which the provided identifier was assigned. - IdentifierType *string `json:"identifier-type,omitempty"` -} - -// Each OSCAL profile is defined by a profile element. -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Imports []ImportResource `json:"imports"` - Merge *MergeControls `json:"merge,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Modify *ModifyControls `json:"modify,omitempty"` - // Provides a globally unique means to identify a given profile instance. - UUID string `json:"uuid"` -} - -// Designates a referenced source catalog or profile that provides a source of control -// information for use in creating a new overlay or baseline. -type ImportResource struct { - ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` - // A resolvable URL reference to the base catalog or profile that this profile is tailoring. - Href string `json:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` -} - -// Select a control or controls from an imported control set. -type ImportExcludeControl struct { - Matching []MatchControlsByPattern `json:"matching,omitempty"` - // When a control is included, whether its child (dependent) controls are also included. - WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` - WithIDS []string `json:"with-ids,omitempty"` -} - -// Selecting a set of controls by matching their IDs with a wildcard pattern. -type MatchControlsByPattern struct { - // A glob expression matching the IDs of one or more controls to be selected. - Pattern *string `json:"pattern,omitempty"` -} - -// Provides structuring directives that instruct how controls are organized after profile -// resolution. -type MergeControls struct { - // Indicates that the controls selected should retain their original grouping as defined in - // the import source. - AsIs *bool `json:"as-is,omitempty"` - // A Combine element defines how to resolve duplicate instances of the same control (e.g., - // controls with the same ID). - Combine *CombinationRule `json:"combine,omitempty"` - // Provides an alternate grouping structure that selected controls will be placed in. - Custom *CustomGrouping `json:"custom,omitempty"` - // Directs that controls appear without any grouping structure. - Flat *FlatWithoutGrouping `json:"flat,omitempty"` -} - -// A Combine element defines how to resolve duplicate instances of the same control (e.g., -// controls with the same ID). -type CombinationRule struct { - // Declare how clashing controls should be handled. - Method *CombinationMethod `json:"method,omitempty"` -} - -// Provides an alternate grouping structure that selected controls will be placed in. -type CustomGrouping struct { - Groups []CustomGroup `json:"groups,omitempty"` - InsertControls []InsertControls `json:"insert-controls,omitempty"` -} - -// A group of (selected) controls or of groups of controls. -type CustomGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Groups []CustomGroup `json:"groups,omitempty"` - // Identifies the group. - ID *string `json:"id,omitempty"` - InsertControls []InsertControls `json:"insert-controls,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name to be given to the group for use in display. - Title string `json:"title"` -} - -// Specifies which controls to use in the containing context. -type InsertControls struct { - ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` - // A designation of how a selection of controls in a profile is to be ordered. - Order *Order `json:"order,omitempty"` -} - -// Directs that controls appear without any grouping structure. -type FlatWithoutGrouping struct { -} - -// Set parameters or amend controls in resolution. -type ModifyControls struct { - Alters []Alteration `json:"alters,omitempty"` - SetParameters []ParameterSetting `json:"set-parameters,omitempty"` -} - -// Specifies changes to be made to an included control when a profile is resolved. -type Alteration struct { - Adds []Addition `json:"adds,omitempty"` - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Removes []Removal `json:"removes,omitempty"` -} - -// Specifies contents to be added into controls, in resolution. -type Addition struct { - // Target location of the addition. - ByID *string `json:"by-id,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - // Where to add the new content with respect to the targeted element (beside it or inside - // it). - Position *Position `json:"position,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` -} - -// Specifies objects to be removed from a control based on specific aspects of the object -// that must all match. -type Removal struct { - // Identify items to remove by matching their class. - ByClass *string `json:"by-class,omitempty"` - // Identify items to remove indicated by their id. - ByID *string `json:"by-id,omitempty"` - // Identify items to remove by the name of the item's information object name, e.g. title or - // prop. - ByItemName *ItemNameReference `json:"by-item-name,omitempty"` - // Identify items remove by matching their assigned name. - ByName *string `json:"by-name,omitempty"` - // Identify items to remove by the item's ns, which is the namespace associated with a part, - // or prop. - ByNS *string `json:"by-ns,omitempty"` -} - -// A parameter setting, to be propagated to points of insertion. -type ParameterSetting struct { - // A textual label that provides a characterization of the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // **(deprecated)** Another parameter invoking this one. This construct has been deprecated - // and should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // An identifier for the parameter. - ParamID string `json:"param-id"` - Props []Property `json:"props,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter. - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A system security plan, such as those described in NIST SP 800-18. -type SystemSecurityPlanSSP struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ControlImplementation ControlImplementationClass `json:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile"` - Metadata DocumentMetadata `json:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. - // The locally defined UUID of the SSP can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes how the system satisfies a set of controls. -type ControlImplementationClass struct { - // A statement describing important things to know about how this set of control - // satisfaction documentation is approached. - Description string `json:"description"` - ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` -} - -// Describes how the system satisfies the requirements of an individual control. -type ControlBasedRequirement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []SpecificControlStatement `json:"statements,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control requirement elsewhere in this or other OSCAL instances. The - // locally defined UUID of the control requirement can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Defines how the referenced component implements a set of controls. -type ComponentControlImplementation struct { - // A machine-oriented identifier reference to the component that is implemeting a given - // control. - ComponentUUID string `json:"component-uuid"` - // An implementation statement that describes how a control or a control statement is - // implemented within the referenced system component. - Description string `json:"description"` - // Identifies content intended for external consumption, such as with leveraged - // organizations. - Export *Export `json:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Inherited []InheritedControlImplementation `json:"inherited,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this by-component entry elsewhere in this or other OSCAL instances. The - // locally defined UUID of the by-component entry can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies content intended for external consumption, such as with leveraged -// organizations. -type Export struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be available to another system leveraging this system. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Provided []ProvidedControlImplementation `json:"provided,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` -} - -// Describes a capability which may be inherited by a leveraging system. -type ProvidedControlImplementation struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be provided to another system leveraging this system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this provided entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the provided entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation responsibility imposed on a leveraging system. -type ControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that a leveraging system must implement to satisfy the control - // provided by a leveraged system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this responsibility elsewhere in this or other OSCAL instances. The locally - // defined UUID of the responsibility can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation inherited by a leveraging system. -type InheritedControlImplementation struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is inheriting from a leveraged system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inherited control implementation can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Describes how this system satisfies a responsibility imposed by a leveraged system. -type SatisfiedControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is implementing based on a requirement from a - // leveraged system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a control implementation that satisfies a - // responsibility imposed by a leveraged system. - ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this satisfied control implementation entry elsewhere in this or other OSCAL - // instances. The locally defined UUID of the control implementation can be used to - // reference the data item locally or globally (e.g., in an imported OSCAL instance). This - // UUID should be assigned per-subject, which means it should be consistently used to - // identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies which statements within a control are addressed. -type SpecificControlStatement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// Used to import the OSCAL profile representing the system's control baseline. -type ImportProfile struct { - // A resolvable URL reference to the profile or catalog to use as the system's control - // baseline. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Contains the characteristics of the system, such as its name, purpose, and security -// impact level. -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty"` - DateAuthorized *string `json:"date-authorized,omitempty"` - // A summary of the system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty"` - // The overall information system sensitivity categorization, such as defined by FIPS-199. - SecuritySensitivityLevel *string `json:"security-sensitivity-level,omitempty"` - Status SystemCharacteristicsStatus `json:"status"` - SystemIDS []SystemIdentification `json:"system-ids"` - SystemInformation SystemInformation `json:"system-information"` - // The full name of the system. - SystemName string `json:"system-name"` - // A short name for the system, such as an acronym, that is suitable for display in a data - // table or summary list. - SystemNameShort *string `json:"system-name-short,omitempty"` -} - -// A description of this system's authorization boundary, optionally supplemented by -// diagrams that illustrate the authorization boundary. -type AuthorizationBoundary struct { - // A summary of the system's authorization boundary. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A graphic that provides a visual representation the system, or some aspect of it. -type Diagram struct { - // A brief caption to annotate the diagram. - Caption *string `json:"caption,omitempty"` - // A summary of the diagram. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined - // UUID of the diagram can be used to reference the data item locally or globally (e.g., in - // an imported OSCAL instance). This UUID should be assigned per-subject, which means it - // should be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A description of the logical flow of information within the system and across its -// boundaries, optionally supplemented by diagrams that illustrate these flows. -type DataFlow struct { - // A summary of the system's data flow. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A description of the system's network architecture, optionally supplemented by diagrams -// that illustrate the network architecture. -type NetworkArchitecture struct { - // A summary of the system's network architecture. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// The overall level of expected impact resulting from unauthorized disclosure, -// modification, or loss of access to information. -type SecurityImpactLevel struct { - // A target-level of availability for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveAvailability string `json:"security-objective-availability"` - // A target-level of confidentiality for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` - // A target-level of integrity for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveIntegrity string `json:"security-objective-integrity"` -} - -// Describes the operational status of the system. -type SystemCharacteristicsStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The current operating status. - State FluffyState `json:"state"` -} - -// Contains details about all information types that are stored, processed, or transmitted -// by the system, such as privacy information, and those defined in NIST SP 800-60. -type SystemInformation struct { - InformationTypes []InformationType `json:"information-types"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` -} - -// Contains details about one information type that is stored, processed, or transmitted by -// the system, such as privacy information, and those defined in NIST SP 800-60. -type InformationType struct { - AvailabilityImpact *ImpactLevel `json:"availability-impact,omitempty"` - Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` - ConfidentialityImpact *ImpactLevel `json:"confidentiality-impact,omitempty"` - // A summary of how this information type is used within the system. - Description string `json:"description"` - IntegrityImpact *ImpactLevel `json:"integrity-impact,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A human readable name for the information type. This title should be meaningful within - // the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this information type elsewhere in this or other OSCAL instances. The - // locally defined UUID of the information type can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// The expected level of impact resulting from the described information. -type ImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// A set of information type identifiers qualified by the given identification system used, -// such as NIST SP 800-60. -type InformationTypeCategorization struct { - InformationTypeIDS []string `json:"information-type-ids,omitempty"` - // Specifies the information type identification system used. - System string `json:"system"` -} - -// Provides information as to how the system is implemented. -type SystemImplementation struct { - Components []AssessmentAssetsComponent `json:"components"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users"` -} - -// A description of another authorized system from which this system inherits capabilities -// that satisfy security requirements. Another term for this concept is a common control -// provider. -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized"` - Links []LinkElement `json:"links,omitempty"` - // A machine-oriented identifier reference to the party that manages the leveraged system. - PartyUUID string `json:"party-uuid"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human readable name for the leveraged authorization in the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope and can be used - // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The - // locally defined UUID of the leveraged authorization can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Indicates the transport type. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Transport string - -const ( - TCP Transport = "TCP" - UDP Transport = "UDP" -) - -// The operational status. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type PurpleState string - -const ( - PurpleDisposition PurpleState = "disposition" - PurpleOperational PurpleState = "operational" - PurpleOther PurpleState = "other" - PurpleUnderDevelopment PurpleState = "under-development" -) - -// A category describing the kind of party the object describes. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type PartyType string - -const ( - Organization PartyType = "organization" - Person PartyType = "person" -) - -// The unit of time for the period. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type TimeUnit string - -const ( - Days TimeUnit = "days" - Hours TimeUnit = "hours" - Minutes TimeUnit = "minutes" - Months TimeUnit = "months" - Seconds TimeUnit = "seconds" - Years TimeUnit = "years" -) - -// The kind of actor. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ActorType string - -const ( - AssessmentPlatform ActorType = "assessment-platform" - Party ActorType = "party" - Tool ActorType = "tool" -) - -// An indication as to whether the objective is satisfied or not. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ObjectiveStatusState string - -const ( - NotSatisfied ObjectiveStatusState = "not-satisfied" - Satisfied ObjectiveStatusState = "satisfied" -) - -// Identifies the type of the target. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type FindingTargetType string - -const ( - ObjectiveID FindingTargetType = "objective-id" - StatementID FindingTargetType = "statement-id" -) - -// Describes the number of selections that must occur. Without this setting, only one value -// should be assumed to be permitted. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ParameterCardinality string - -const ( - One ParameterCardinality = "one" - OneOrMore ParameterCardinality = "one-or-more" -) - -// When a control is included, whether its child (dependent) controls are also included. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type IncludeContainedControlsWithControl string - -const ( - No IncludeContainedControlsWithControl = "no" - Yes IncludeContainedControlsWithControl = "yes" -) - -// Declare how clashing controls should be handled. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type CombinationMethod string - -const ( - CombinationMethodKeep CombinationMethod = "keep" - Merge CombinationMethod = "merge" - UseFirst CombinationMethod = "use-first" -) - -// A designation of how a selection of controls in a profile is to be ordered. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Order string - -const ( - Ascending Order = "ascending" - Descending Order = "descending" - OrderKeep Order = "keep" -) - -// Where to add the new content with respect to the targeted element (beside it or inside -// it). -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Position string - -const ( - After Position = "after" - Before Position = "before" - Ending Position = "ending" - Starting Position = "starting" -) - -// Identify items to remove by the name of the item's information object name, e.g. title or -// prop. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ItemNameReference string - -const ( - Link ItemNameReference = "link" - Map ItemNameReference = "map" - Mapping ItemNameReference = "mapping" - Param ItemNameReference = "param" - Part ItemNameReference = "part" - Prop ItemNameReference = "prop" -) - -// The current operating status. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type FluffyState string - -const ( - FluffyDisposition FluffyState = "disposition" - FluffyOperational FluffyState = "operational" - FluffyOther FluffyState = "other" - FluffyUnderDevelopment FluffyState = "under-development" - UnderMajorModification FluffyState = "under-major-modification" -) diff --git a/src/types/quicktype/oscal-1-1-2/types.go b/src/types/quicktype/oscal-1-1-2/types.go deleted file mode 100644 index b50677fb..00000000 --- a/src/types/quicktype/oscal-1-1-2/types.go +++ /dev/null @@ -1,3754 +0,0 @@ -// This file was generated from JSON Schema using quicktype, do not modify it directly. -// To parse and unparse this JSON data, add this code to your project and do: -// -// oscalModels, err := UnmarshalOscalModels(bytes) -// bytes, err = oscalModels.Marshal() - -package oscalTypes_1_1_2 - -import "time" - -import "encoding/json" - -func UnmarshalOscalModels(data []byte) (OscalModels, error) { - var r OscalModels - err := json.Unmarshal(data, &r) - return r, err -} - -func (r *OscalModels) Marshal() ([]byte, error) { - return json.Marshal(r) -} - -type OscalModels struct { - Schema *string `json:"$schema,omitempty"` - Catalog *Catalog `json:"catalog,omitempty"` - Profile *Profile `json:"profile,omitempty"` - ComponentDefinition *ComponentDefinition `json:"component-definition,omitempty"` - SystemSecurityPlan *SystemSecurityPlanSSP `json:"system-security-plan,omitempty"` - AssessmentPlan *SecurityAssessmentPlanSAP `json:"assessment-plan,omitempty"` - AssessmentResults *SecurityAssessmentResultsSAR `json:"assessment-results,omitempty"` - PlanOfActionAndMilestones *PlanOfActionAndMilestonesPOAM `json:"plan-of-action-and-milestones,omitempty"` -} - -// An assessment plan, such as those provided by a FedRAMP assessor. -type SecurityAssessmentPlanSAP struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - AssessmentSubjects []SubjectOfAssessment `json:"assessment-subjects,omitempty"` - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportSSP ImportSystemSecurityPlan `json:"import-ssp"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentPlanLocalDefinitions `json:"local-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Tasks []Task `json:"tasks,omitempty"` - // Used to define various terms and conditions under which an assessment, described by the - // plan, can be performed. Each child part defines a different type of term or condition. - TermsAndConditions *AssessmentPlanTermsAndConditions `json:"terms-and-conditions,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment plan in this or other OSCAL instances. The locally defined - // UUID of the assessment plan can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Identifies the assets used to perform this assessment, such as the assessment team, -// scanning tools, and assumptions. -type AssessmentAssets struct { - AssessmentPlatforms []AssessmentPlatformElement `json:"assessment-platforms"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` -} - -// Used to represent the toolset used to perform aspects of the assessment. -type AssessmentPlatformElement struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for the assessment platform. - Title *string `json:"title,omitempty"` - UsesComponents []UsesComponent `json:"uses-components,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment platform elsewhere in this or other OSCAL instances. The - // locally defined UUID of the assessment platform can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// A reference to a local or remote resource, that has a specific relation to the containing -// object. -type LinkElement struct { - // A resolvable URL reference to a resource. - Href string `json:"href"` - // A label that indicates the nature of a resource, as a data serialization or format. - MediaType *string `json:"media-type,omitempty"` - // Describes the type of relationship provided by the link's hypertext reference. This can - // be an indicator of the link's purpose. - Rel *string `json:"rel,omitempty"` - // In case where the href points to a back-matter/resource, this value will indicate the URI - // fragment to append to any rlink associated with the resource. This value MUST be URI - // encoded. - ResourceFragment *string `json:"resource-fragment,omitempty"` - // A textual label to associate with the link, which may be used for presentation in a tool. - Text *string `json:"text,omitempty"` -} - -// An attribute, characteristic, or quality of the containing object expressed as a -// namespace qualified name/value pair. -type Property struct { - // A textual label that provides a sub-type or characterization of the property's name. - Class *string `json:"class,omitempty"` - // An identifier for relating distinct sets of properties. - Group *string `json:"group,omitempty"` - // A textual label, within a namespace, that uniquely identifies a specific attribute, - // characteristic, or quality of the property's containing object. - Name string `json:"name"` - // A namespace qualifying the property's name. This allows different organizations to - // associate distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A unique identifier for a property. - UUID *string `json:"uuid,omitempty"` - // Indicates the value of the attribute, characteristic, or quality. - Value string `json:"value"` -} - -// The set of components that are used by the assessment platform. -type UsesComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A reference to a set of persons and/or organizations that have responsibility for -// performing the referenced role in the context of the containing object. -type ResponsibleParty struct { - Links []LinkElement `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A reference to a role performed by a party. - RoleID string `json:"role-id"` -} - -// A defined component that can be part of an implemented system. -type AssessmentAssetsComponent struct { - // A description of the component, including information about its function. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // Describes the operational status of the system component. - Status ComponentStatus `json:"status"` - // A human readable name for the system component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this component elsewhere in this or other OSCAL instances. The locally - // defined UUID of the component can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// Information about the protocol used to provide a service. -type ServiceProtocolInformation struct { - // The common name of the protocol, which should be the appropriate "service name" from the - // IANA Service Name and Transport Protocol Port Number Registry. - Name string `json:"name"` - PortRanges []PortRange `json:"port-ranges,omitempty"` - // A human readable name for the protocol (e.g., Transport Layer Security). - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this service protocol information elsewhere in this or other OSCAL - // instances. The locally defined UUID of the service protocol can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Where applicable this is the IPv4 port range on which the service operates. -type PortRange struct { - // Indicates the ending port number in a port range - End *int64 `json:"end,omitempty"` - // Indicates the starting port number in a port range - Start *int64 `json:"start,omitempty"` - // Indicates the transport type. - Transport *Transport `json:"transport,omitempty"` -} - -// A reference to a role with responsibility for performing a function relative to the -// containing object, optionally associated with a set of persons and/or organizations that -// perform that role. -type ResponsibleRole struct { - Links []LinkElement `json:"links,omitempty"` - PartyUuids []string `json:"party-uuids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human-oriented identifier reference to a role performed. - RoleID string `json:"role-id"` -} - -// Describes the operational status of the system component. -type ComponentStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The operational status. - State PurpleState `json:"state"` -} - -// Identifies system elements being assessed, such as components, inventory items, and -// locations. In the assessment plan, this identifies a planned assessment subject. In the -// assessment results this is an actual assessment subject, and reflects any changes from -// the plan. exactly what will be the focus of this assessment. Any subjects not identified -// in this way are out-of-scope. -type SubjectOfAssessment struct { - // A human-readable description of the collection of subjects being included in this - // assessment. - Description *string `json:"description,omitempty"` - ExcludeSubjects []SelectAssessmentSubject `json:"exclude-subjects,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeSubjects []SelectAssessmentSubject `json:"include-subjects,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Indicates the type of assessment subject, such as a component, inventory, item, location, - // or party represented by this selection statement. - Type string `json:"type"` -} - -// Identifies a set of assessment subjects to include/exclude by UUID. -type SelectAssessmentSubject struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type string `json:"type"` -} - -// Include all controls from the imported catalog or profile resources. -type IncludeAll struct { -} - -// A collection of resources that may be referenced from within the OSCAL document instance. -type BackMatter struct { - Resources []Resource `json:"resources,omitempty"` -} - -// A resource associated with content in the containing document instance. A resource may be -// directly included in the document using base64 encoding or may point to one or more -// equivalent internet resources. -type Resource struct { - // A resource encoded using the Base64 alphabet defined by RFC 2045. - Base64 *Base64 `json:"base64,omitempty"` - // An optional citation consisting of end note text using structured markup. - Citation *Citation `json:"citation,omitempty"` - // An optional short summary of the resource used to indicate the purpose of the resource. - Description *string `json:"description,omitempty"` - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Rlinks []ResourceLink `json:"rlinks,omitempty"` - // An optional name given to the resource, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` - // A unique identifier for a resource. - UUID string `json:"uuid"` -} - -// A resource encoded using the Base64 alphabet defined by RFC 2045. -type Base64 struct { - // Name of the file before it was encoded as Base64 to be embedded in a resource. This is - // the name that will be assigned to the file when the file is decoded. - Filename *string `json:"filename,omitempty"` - // A label that indicates the nature of a resource, as a data serialization or format. - MediaType *string `json:"media-type,omitempty"` - Value string `json:"value"` -} - -// An optional citation consisting of end note text using structured markup. -type Citation struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A line of citation text. - Text string `json:"text"` -} - -// A document identifier qualified by an identifier scheme. -type DocumentIdentifier struct { - Identifier string `json:"identifier"` - // Qualifies the kind of document identifier using a URI. If the scheme is not provided the - // value of the element will be interpreted as a string of characters. - Scheme *string `json:"scheme,omitempty"` -} - -// A URL-based pointer to an external resource with an optional hash for verification and -// change detection. -type ResourceLink struct { - Hashes []Hash `json:"hashes,omitempty"` - // A resolvable URL pointing to the referenced resource. - Href string `json:"href"` - // A label that indicates the nature of a resource, as a data serialization or format. - MediaType *string `json:"media-type,omitempty"` -} - -// A representation of a cryptographic digest generated over a resource using a specified -// hash algorithm. -type Hash struct { - // The digest method by which a hash is derived. - Algorithm string `json:"algorithm"` - Value string `json:"value"` -} - -// Used by the assessment plan and POA&M to import information about the system. -type ImportSystemSecurityPlan struct { - // A resolvable URL reference to the system security plan for the system being assessed. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentPlanLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Identifies an assessment or related process that can be performed. In the assessment -// plan, this is an intended activity which may be associated with an assessment task. In -// the assessment results, this an activity that was actually performed as part of an -// assessment. -type Activity struct { - // A human-readable description of this included activity. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedControls *ReviewedControlsAndControlObjectives `json:"related-controls,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Steps []Step `json:"steps,omitempty"` - // The title for this included activity. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment activity elsewhere in this or other OSCAL instances. The - // locally defined UUID of the activity can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies the controls being assessed and their control objectives. -type ReviewedControlsAndControlObjectives struct { - ControlObjectiveSelections []ReferencedControlObjectives `json:"control-objective-selections,omitempty"` - ControlSelections []AssessedControls `json:"control-selections"` - // A human-readable description of control objectives. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Identifies the control objectives of the assessment. In the assessment plan, these are -// the planned objectives. In the assessment results, these are the assessed objectives, and -// reflects any changes from the plan. -type ReferencedControlObjectives struct { - // A human-readable description of this collection of control objectives. - Description *string `json:"description,omitempty"` - ExcludeObjectives []SelectObjective `json:"exclude-objectives,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeObjectives []SelectObjective `json:"include-objectives,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control objective for inclusion/exclusion based on the control -// objective's identifier. -type SelectObjective struct { - // Points to an assessment objective. - ObjectiveID string `json:"objective-id"` -} - -// Identifies the controls being assessed. In the assessment plan, these are the planned -// controls. In the assessment results, these are the actual controls, and reflects any -// changes from the plan. -type AssessedControls struct { - // A human-readable description of in-scope controls specified for assessment. - Description *string `json:"description,omitempty"` - ExcludeControls []ControlSelectionExcludeControl `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []ControlSelectionExcludeControl `json:"include-controls,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to select a control for inclusion/exclusion based on one or more control -// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion -// to only specific control statements providing more granularity over the specific -// statements that are within the asessment scope. -type ControlSelectionExcludeControl struct { - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - StatementIDS []string `json:"statement-ids,omitempty"` -} - -// Identifies an individual step in a series of steps related to an activity, such as an -// assessment test or examination procedure. -type Step struct { - // A human-readable description of this step. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - ReviewedControls *ReviewedControlsAndControlObjectives `json:"reviewed-controls,omitempty"` - // The title for this step. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this step elsewhere in this or other OSCAL instances. The locally defined - // UUID of the step (in a series of steps) can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// A single managed inventory item within the system. -type InventoryItem struct { - // A summary of the inventory item stating its purpose within the system. - Description string `json:"description"` - ImplementedComponents []ImplementedComponent `json:"implemented-components,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inventory item elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inventory item can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// The set of components that are implemented in a given system inventory item. -type ImplementedComponent struct { - // A machine-oriented identifier reference to a component that is implemented as part of an - // inventory item. - ComponentUUID string `json:"component-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// A local definition of a control objective for this assessment. Uses catalog syntax for -// control objective and assessment actions. -type AssessmentSpecificControlObjective struct { - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A human-readable description of this control objective. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Parts []PartElement `json:"parts"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// An annotated, markup-based textual element of a control's or catalog group's definition, -// or a child of another part. -type PartElement struct { - // An optional textual providing a sub-type or characterization of the part's name, or a - // category to which the part belongs. - Class *string `json:"class,omitempty"` - // A unique identifier for the part. - ID *string `json:"id,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type, which exists in a - // value space qualified by the ns. - Name string `json:"name"` - // An optional namespace qualifying the part's name. This allows different organizations to - // associate distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // An optional name given to the part, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` -} - -// A type of user that interacts with the system based on an associated role. -type SystemUser struct { - AuthorizedPrivileges []Privilege `json:"authorized-privileges,omitempty"` - // A summary of the user's purpose within the system. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RoleIDS []string `json:"role-ids,omitempty"` - // A short common name, abbreviation, or acronym for the user. - ShortName *string `json:"short-name,omitempty"` - // A name given to the user, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this user class elsewhere in this or other OSCAL instances. The locally - // defined UUID of the system user can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies a specific system privilege held by the user, along with an associated -// description and/or rationale for the privilege. -type Privilege struct { - // A summary of the privilege's purpose within the system. - Description *string `json:"description,omitempty"` - FunctionsPerformed []string `json:"functions-performed"` - // A human readable name for the privilege. - Title string `json:"title"` -} - -// Provides information about the containing document, and defines concepts that are shared -// across the document. -type DocumentMetadata struct { - Actions []Action `json:"actions,omitempty"` - DocumentIDS []DocumentIdentifier `json:"document-ids,omitempty"` - LastModified time.Time `json:"last-modified"` - Links []LinkElement `json:"links,omitempty"` - Locations []Location `json:"locations,omitempty"` - OscalVersion string `json:"oscal-version"` - Parties []PartyElement `json:"parties,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Revisions []RevisionHistoryEntry `json:"revisions,omitempty"` - Roles []Role `json:"roles,omitempty"` - // A name given to the document, which may be used by a tool for display and navigation. - Title string `json:"title"` - Version string `json:"version"` -} - -// An action applied by a role within a given party to the content. -type Action struct { - // The date and time when the action occurred. - Date *time.Time `json:"date,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - // Specifies the action type system used. - System string `json:"system"` - // The type of action documented by the assembly, such as an approval. - Type string `json:"type"` - // A unique identifier that can be used to reference this defined action elsewhere in an - // OSCAL document. A UUID should be consistently used for a given location across revisions - // of the document. - UUID string `json:"uuid"` -} - -// A physical point of presence, which may be associated with people, organizations, or -// other concepts within the current or linked OSCAL document. -type Location struct { - Address *Address `json:"address,omitempty"` - EmailAddresses []string `json:"email-addresses,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A name given to the location, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - Urls []string `json:"urls,omitempty"` - // A unique ID for the location, for reference. - UUID string `json:"uuid"` -} - -// A postal address for the location. -type Address struct { - AddrLines []string `json:"addr-lines,omitempty"` - // City, town or geographical region for the mailing address. - City *string `json:"city,omitempty"` - // The ISO 3166-1 alpha-2 country code for the mailing address. - Country *string `json:"country,omitempty"` - // Postal or ZIP code for mailing address. - PostalCode *string `json:"postal-code,omitempty"` - // State, province or analogous geographical region for a mailing address. - State *string `json:"state,omitempty"` - // Indicates the type of address. - Type *string `json:"type,omitempty"` -} - -// A telephone service number as defined by ITU-T E.164. -type TelephoneNumber struct { - Number string `json:"number"` - // Indicates the type of phone number. - Type *string `json:"type,omitempty"` -} - -// An organization or person, which may be associated with roles or other concepts within -// the current or linked OSCAL document. -type PartyElement struct { - Addresses []Address `json:"addresses,omitempty"` - EmailAddresses []string `json:"email-addresses,omitempty"` - ExternalIDS []PartyExternalIdentifier `json:"external-ids,omitempty"` - Links []LinkElement `json:"links,omitempty"` - LocationUuids []string `json:"location-uuids,omitempty"` - MemberOfOrganizations []string `json:"member-of-organizations,omitempty"` - // The full name of the party. This is typically the legal name associated with the party. - Name *string `json:"name,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the party. - ShortName *string `json:"short-name,omitempty"` - TelephoneNumbers []TelephoneNumber `json:"telephone-numbers,omitempty"` - // A category describing the kind of party the object describes. - Type PartyType `json:"type"` - // A unique identifier for the party. - UUID string `json:"uuid"` -} - -// An identifier for a person or organization using a designated scheme. e.g. an Open -// Researcher and Contributor ID (ORCID). -type PartyExternalIdentifier struct { - ID string `json:"id"` - // Indicates the type of external identifier. - Scheme string `json:"scheme"` -} - -// An entry in a sequential list of revisions to the containing document, expected to be in -// reverse chronological order (i.e. latest first). -type RevisionHistoryEntry struct { - LastModified *time.Time `json:"last-modified,omitempty"` - Links []LinkElement `json:"links,omitempty"` - OscalVersion *string `json:"oscal-version,omitempty"` - Props []Property `json:"props,omitempty"` - Published *time.Time `json:"published,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A name given to the document revision, which may be used by a tool for display and - // navigation. - Title *string `json:"title,omitempty"` - Version string `json:"version"` -} - -// Defines a function, which might be assigned to a party in a specific situation. -type Role struct { - // A summary of the role's purpose and associated responsibilities. - Description *string `json:"description,omitempty"` - // A unique identifier for the role. - ID string `json:"id"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A short common name, abbreviation, or acronym for the role. - ShortName *string `json:"short-name,omitempty"` - // A name given to the role, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Represents a scheduled event or milestone, which may be associated with a series of -// assessment actions. -type Task struct { - AssociatedActivities []AssociatedActivity `json:"associated-activities,omitempty"` - Dependencies []TaskDependency `json:"dependencies,omitempty"` - // A human-readable description of this task. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The timing under which the task is intended to occur. - Timing *EventTiming `json:"timing,omitempty"` - // The title for this task. - Title string `json:"title"` - // The type of task. - Type string `json:"type"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this task elsewhere in this or other OSCAL instances. The locally defined - // UUID of the task can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual activity to be performed as part of a task. -type AssociatedActivity struct { - // A machine-oriented identifier reference to an activity defined in the list of activities. - ActivityUUID string `json:"activity-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// Used to indicate that a task is dependent on another task. -type TaskDependency struct { - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// The timing under which the task is intended to occur. -type EventTiming struct { - // The task is intended to occur at the specified frequency. - AtFrequency *FrequencyCondition `json:"at-frequency,omitempty"` - // The task is intended to occur on the specified date. - OnDate *OnDateCondition `json:"on-date,omitempty"` - // The task is intended to occur within the specified date range. - WithinDateRange *OnDateRangeCondition `json:"within-date-range,omitempty"` -} - -// The task is intended to occur at the specified frequency. -type FrequencyCondition struct { - // The task must occur after the specified period has elapsed. - Period int64 `json:"period"` - // The unit of time for the period. - Unit TimeUnit `json:"unit"` -} - -// The task is intended to occur on the specified date. -type OnDateCondition struct { - // The task must occur on the specified date. - Date time.Time `json:"date"` -} - -// The task is intended to occur within the specified date range. -type OnDateRangeCondition struct { - // The task must occur on or before the specified date. - End time.Time `json:"end"` - // The task must occur on or after the specified date. - Start time.Time `json:"start"` -} - -// Used to define various terms and conditions under which an assessment, described by the -// plan, can be performed. Each child part defines a different type of term or condition. -type AssessmentPlanTermsAndConditions struct { - Parts []AssessmentPart `json:"parts,omitempty"` -} - -// A partition of an assessment plan or results or a child of another part. -type AssessmentPart struct { - // A textual label that provides a sub-type or characterization of the part's name. This can - // be used to further distinguish or discriminate between the semantics of multiple parts of - // the same control with the same name and ns. - Class *string `json:"class,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // A textual label that uniquely identifies the part's semantic type. - Name string `json:"name"` - // A namespace qualifying the part's name. This allows different organizations to associate - // distinct semantics with the same name. - NS *string `json:"ns,omitempty"` - Parts []AssessmentPart `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // Permits multiple paragraphs, lists, tables etc. - Prose *string `json:"prose,omitempty"` - // A name given to the part, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this part elsewhere in this or other OSCAL instances. The locally defined - // UUID of the part can be used to reference the data item locally or globally (e.g., in an - // ported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP -// Security Assessment Report. -type SecurityAssessmentResultsSAR struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ImportAp ImportAssessmentPlan `json:"import-ap"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *AssessmentResultsLocalDefinitions `json:"local-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Results []AssessmentResult `json:"results"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this assessment results instance in this or other OSCAL instances. The - // locally defined UUID of the assessment result can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Used by assessment-results to import information about the original plan for assessing -// the system. -type ImportAssessmentPlan struct { - // A resolvable URL reference to the assessment plan governing the assessment activities. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type AssessmentResultsLocalDefinitions struct { - Activities []Activity `json:"activities,omitempty"` - ObjectivesAndMethods []AssessmentSpecificControlObjective `json:"objectives-and-methods,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Used by the assessment results and POA&M. In the assessment results, this identifies all -// of the assessment observations and findings, initial and residual risks, deviations, and -// disposition. In the POA&M, this identifies initial and residual risks, deviations, and -// disposition. -type AssessmentResult struct { - // A log of all assessment-related actions taken. - AssessmentLog *AssessmentLog `json:"assessment-log,omitempty"` - Attestations []AttestationStatements `json:"attestations,omitempty"` - // A human-readable description of this set of test results. - Description string `json:"description"` - // Date/time stamp identifying the end of the evidence collection reflected in these - // results. In a continuous motoring scenario, this may contain the same value as start if - // appropriate. - End *time.Time `json:"end,omitempty"` - Findings []Finding `json:"findings,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // Used to define data objects that are used in the assessment plan, that do not appear in - // the referenced SSP. - LocalDefinitions *ResultLocalDefinitions `json:"local-definitions,omitempty"` - Observations []Observation `json:"observations,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ReviewedControls ReviewedControlsAndControlObjectives `json:"reviewed-controls"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - // Date/time stamp identifying the start of the evidence collection reflected in these - // results. - Start time.Time `json:"start"` - // The title for this set of results. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this set of results in this or other OSCAL instances. The locally defined - // UUID of the assessment result can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all assessment-related actions taken. -type AssessmentLog struct { - Entries []AssessmentLogEntry `json:"entries"` -} - -// Identifies the result of an action and/or task that occurred as part of executing an -// assessment plan or an assessment event that occurred in producing the assessment results. -type AssessmentLogEntry struct { - // A human-readable description of this event. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of an event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []LinkElement `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of an event. - Start time.Time `json:"start"` - // The title for this event. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference an assessment event in this or other OSCAL instances. The locally defined - // UUID of the assessment log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Used to indicate who created a log entry in what role. -type LoggedBy struct { - // A machine-oriented identifier reference to the party who is making the log entry. - PartyUUID string `json:"party-uuid"` - // A point to the role-id of the role in which the party is making the log entry. - RoleID *string `json:"role-id,omitempty"` -} - -// Identifies an individual task for which the containing object is a consequence of. -type TaskReference struct { - // Used to detail assessment subjects that were identfied by this task. - IdentifiedSubject *IdentifiedSubject `json:"identified-subject,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - Subjects []SubjectOfAssessment `json:"subjects,omitempty"` - // A machine-oriented identifier reference to a unique task. - TaskUUID string `json:"task-uuid"` -} - -// Used to detail assessment subjects that were identfied by this task. -type IdentifiedSubject struct { - // A machine-oriented identifier reference to a unique assessment subject placeholder - // defined by this task. - SubjectPlaceholderUUID string `json:"subject-placeholder-uuid"` - Subjects []SubjectOfAssessment `json:"subjects"` -} - -// A set of textual statements, typically written by the assessor. -type AttestationStatements struct { - Parts []AssessmentPart `json:"parts"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` -} - -// Describes an individual finding. -type Finding struct { - // A human-readable description of this finding. - Description string `json:"description"` - // A machine-oriented identifier reference to the implementation statement in the SSP to - // which this finding is related. - ImplementationStatementUUID *string `json:"implementation-statement-uuid,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []FindingRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []FindingRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Target TargetClass `json:"target"` - // The title for this finding. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this finding in this or other OSCAL instances. The locally defined UUID of - // the finding can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies the source of the finding, such as a tool, interviewed person, or activity. -type FindingOrigin struct { - Actors []OriginatingActor `json:"actors"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` -} - -// The actor that produces an observation, a finding, or a risk. One or more actor type can -// be used to specify a person that is using a tool. -type OriginatingActor struct { - // A machine-oriented identifier reference to the tool or person based on the associated - // type. - ActorUUID string `json:"actor-uuid"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // For a party, this can optionally be used to specify the role the actor was performing. - RoleID *string `json:"role-id,omitempty"` - // The kind of actor. - Type ActorType `json:"type"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type FindingRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type FindingRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// Captures an assessor's conclusions regarding the degree to which an objective is -// satisfied. -type TargetClass struct { - // A human-readable description of the assessor's conclusions regarding the degree to which - // an objective is satisfied. - Description *string `json:"description,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A determination of if the objective is satisfied or not within a given system. - Status StatusClass `json:"status"` - // A machine-oriented identifier reference for a specific target qualified by the type. - TargetID string `json:"target-id"` - // The title for this objective status. - Title *string `json:"title,omitempty"` - // Identifies the type of the target. - Type FindingTargetType `json:"type"` -} - -// Indicates the degree to which the a given control is implemented. -type ImplementationStatus struct { - Remarks *string `json:"remarks,omitempty"` - // Identifies the implementation status of the control or control objective. - State string `json:"state"` -} - -// A determination of if the objective is satisfied or not within a given system. -type StatusClass struct { - // The reason the objective was given it's status. - Reason *string `json:"reason,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // An indication as to whether the objective is satisfied or not. - State ObjectiveStatusState `json:"state"` -} - -// Used to define data objects that are used in the assessment plan, that do not appear in -// the referenced SSP. -type ResultLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - Users []SystemUser `json:"users,omitempty"` -} - -// Describes an individual observation. -type Observation struct { - // Date/time stamp identifying when the finding information was collected. - Collected time.Time `json:"collected"` - // A human-readable description of this assessment observation. - Description string `json:"description"` - // Date/time identifying when the finding information is out-of-date and no longer valid. - // Typically used with continuous assessment scenarios. - Expires *time.Time `json:"expires,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Methods []string `json:"methods"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelevantEvidence []RelevantEvidence `json:"relevant-evidence,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this observation. - Title *string `json:"title,omitempty"` - Types []string `json:"types,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this observation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the observation can be used to reference the data item locally or - // globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Links this observation to relevant evidence. -type RelevantEvidence struct { - // A human-readable description of this evidence. - Description string `json:"description"` - // A resolvable URL reference to relevant evidence. - Href *string `json:"href,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A human-oriented identifier reference to a resource. Use type to indicate whether the -// identified resource is a component, inventory item, location, user, or something else. -type IdentifiesTheSubject struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a component, inventory-item, location, party, - // user, or resource using it's UUID. - SubjectUUID string `json:"subject-uuid"` - // The title or name for the referenced subject. - Title *string `json:"title,omitempty"` - // Used to indicate the type of object pointed to by the uuid-ref within a subject. - Type string `json:"type"` -} - -// An identified risk. -type IdentifiedRisk struct { - Characterizations []Characterization `json:"characterizations,omitempty"` - // The date/time by which the risk must be resolved. - Deadline *time.Time `json:"deadline,omitempty"` - // A human-readable summary of the identified risk, to include a statement of how the risk - // impacts the system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - MitigatingFactors []MitigatingFactor `json:"mitigating-factors,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedObservations []RiskRelatedObservation `json:"related-observations,omitempty"` - Remediations []RiskResponse `json:"remediations,omitempty"` - // A log of all risk-related tasks taken. - RiskLog *RiskLog `json:"risk-log,omitempty"` - // An summary of impact for how the risk affects the system. - Statement string `json:"statement"` - Status string `json:"status"` - ThreatIDS []ThreatID `json:"threat-ids,omitempty"` - // The title for this risk. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk elsewhere in this or other OSCAL instances. The locally defined - // UUID of the risk can be used to reference the data item locally or globally (e.g., in an - // imported OSCAL instance). This UUID should be assigned per-subject, which means it should - // be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A collection of descriptive data about the containing object from a specific origin. -type Characterization struct { - Facets []Facet `json:"facets"` - Links []LinkElement `json:"links,omitempty"` - Origin FindingOrigin `json:"origin"` - Props []Property `json:"props,omitempty"` -} - -// An individual characteristic that is part of a larger set produced by the same actor. -type Facet struct { - Links []LinkElement `json:"links,omitempty"` - // The name of the risk metric within the specified system. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Specifies the naming system under which this risk metric is organized, which allows for - // the same names to be used in different systems controlled by different parties. This - // avoids the potential of a name clash. - System string `json:"system"` - // Indicates the value of the facet. - Value string `json:"value"` -} - -// Describes an existing mitigating factor that may affect the overall determination of the -// risk, with an optional link to an implementation statement in the SSP. -type MitigatingFactor struct { - // A human-readable description of this mitigating factor. - Description string `json:"description"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this implementation statement elsewhere in this or other OSCAL instancess. - // The locally defined UUID of the implementation statement can be used to reference the - // data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - ImplementationUUID *string `json:"implementation-uuid,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this mitigating factor elsewhere in this or other OSCAL instances. The - // locally defined UUID of the mitigating factor can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Relates the finding to a set of referenced observations that were used to determine the -// finding. -type RiskRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Describes either recommended or an actual plan for addressing the risk. -type RiskResponse struct { - // A human-readable description of this response plan. - Description string `json:"description"` - // Identifies whether this is a recommendation, such as from an assessor or tool, or an - // actual plan accepted by the system owner. - Lifecycle string `json:"lifecycle"` - Links []LinkElement `json:"links,omitempty"` - Origins []FindingOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - RequiredAssets []RequiredAsset `json:"required-assets,omitempty"` - Tasks []Task `json:"tasks,omitempty"` - // The title for this response activity. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this remediation elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk response can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an asset required to achieve remediation. -type RequiredAsset struct { - // A human-readable description of this required asset. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Subjects []IdentifiesTheSubject `json:"subjects,omitempty"` - // The title for this required asset. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this required asset elsewhere in this or other OSCAL instances. The locally - // defined UUID of the asset can be used to reference the data item locally or globally - // (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which - // means it should be consistently used to identify the same subject across revisions of the - // document. - UUID string `json:"uuid"` -} - -// A log of all risk-related tasks taken. -type RiskLog struct { - Entries []RiskLogEntry `json:"entries"` -} - -// Identifies an individual risk response that occurred as part of managing an identified -// risk. -type RiskLogEntry struct { - // A human-readable description of what was done regarding the risk. - Description *string `json:"description,omitempty"` - // Identifies the end date and time of the event. If the event is a point in time, the start - // and end will be the same date and time. - End *time.Time `json:"end,omitempty"` - Links []LinkElement `json:"links,omitempty"` - LoggedBy []LoggedBy `json:"logged-by,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedResponses []RiskResponseReference `json:"related-responses,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Identifies the start date and time of the event. - Start time.Time `json:"start"` - StatusChange *string `json:"status-change,omitempty"` - // The title for this risk log entry. - Title *string `json:"title,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this risk log entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the risk log entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Identifies an individual risk response that this log entry is for. -type RiskResponseReference struct { - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedTasks []TaskReference `json:"related-tasks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a unique risk response. - ResponseUUID string `json:"response-uuid"` -} - -// A pointer, by ID, to an externally-defined threat. -type ThreatID struct { - // An optional location for the threat data, from which this ID originates. - Href *string `json:"href,omitempty"` - ID string `json:"id"` - // Specifies the source of the threat information. - System string `json:"system"` -} - -// A structured, organized collection of control information. -type Catalog struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []CatalogGroup `json:"groups,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Params []Parameter `json:"params,omitempty"` - // Provides a globally unique means to identify a given catalog instance. - UUID string `json:"uuid"` -} - -// A structured object representing a requirement or guideline, which when implemented will -// reduce an aspect of risk related to an information system and its information. -type Control struct { - // A textual label that provides a sub-type or characterization of the control. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - // Identifies a control such that it can be referenced in the defining catalog and other - // OSCAL instances (e.g., profiles). - ID string `json:"id"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. -type Parameter struct { - // A textual label that provides a characterization of the type, purpose, use or scope of - // the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // (deprecated) Another parameter invoking this one. This construct has been deprecated and - // should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A unique identifier for the parameter. - ID string `json:"id"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter. - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A formal or informal expression of a constraint or test. -type Constraint struct { - // A textual summary of the constraint to be applied. - Description *string `json:"description,omitempty"` - Tests []ConstraintTest `json:"tests,omitempty"` -} - -// A test expression which is expected to be evaluated by a tool. -type ConstraintTest struct { - // A formal (executable) expression of a constraint. - Expression string `json:"expression"` - Remarks *string `json:"remarks,omitempty"` -} - -// A prose statement that provides a recommendation for the use of a parameter. -type Guideline struct { - // Prose permits multiple paragraphs, lists, tables etc. - Prose string `json:"prose"` -} - -// Presenting a choice among alternatives. -type Selection struct { - Choice []string `json:"choice,omitempty"` - // Describes the number of selections that must occur. Without this setting, only one value - // should be assumed to be permitted. - HowMany *ParameterCardinality `json:"how-many,omitempty"` -} - -// A group of controls, or of groups of controls. -type CatalogGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Controls []Control `json:"controls,omitempty"` - Groups []CatalogGroup `json:"groups,omitempty"` - // Identifies the group for the purpose of cross-linking within the defining instance or - // from other instances that reference the catalog. - ID *string `json:"id,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the group, which may be used by a tool for display and navigation. - Title string `json:"title"` -} - -// A collection of component descriptions, which may optionally be grouped by capability. -type ComponentDefinition struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Capabilities []Capability `json:"capabilities,omitempty"` - Components []ComponentDefinitionComponent `json:"components,omitempty"` - ImportComponentDefinitions []ImportComponentDefinition `json:"import-component-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - // Provides a globally unique means to identify a given component definition instance. - UUID string `json:"uuid"` -} - -// A grouping of other components and/or capabilities. -type Capability struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A summary of the capability. - Description string `json:"description"` - IncorporatesComponents []IncorporatesComponent `json:"incorporates-components,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // The capability's human-readable name. - Name string `json:"name"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // Provides a globally unique means to identify a given capability. - UUID string `json:"uuid"` -} - -// Defines how the component or capability supports a set of controls. -type ControlImplementationSet struct { - // A description of how the specified set of controls are implemented for the containing - // component or capability. - Description string `json:"description"` - ImplementedRequirements []ImplementedRequirementElement `json:"implemented-requirements"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A reference to an OSCAL catalog or profile providing the referenced control or subcontrol - // definition. - Source string `json:"source"` - // Provides a means to identify a set of control implementations that are supported by a - // given component or capability. - UUID string `json:"uuid"` -} - -// Describes how the containing component or capability implements an individual control. -type ImplementedRequirementElement struct { - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - // A suggestion from the supplier (e.g., component vendor or author) for how the specified - // control may be implemented if the containing component or capability is instantiated in a - // system security plan. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []ControlStatementImplementation `json:"statements,omitempty"` - // Provides a globally unique means to identify a given control implementation by a - // component. - UUID string `json:"uuid"` -} - -// Identifies the parameter that will be set by the enclosed value. -type SetParameterValue struct { - // A human-oriented reference to a parameter within a control, who's catalog has been - // imported into the current implementation context. - ParamID string `json:"param-id"` - Remarks *string `json:"remarks,omitempty"` - Values []string `json:"values"` -} - -// Identifies which statements within a control are addressed. -type ControlStatementImplementation struct { - // A summary of how the containing control statement is implemented by the component or - // capability. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// The collection of components comprising this capability. -type IncorporatesComponent struct { - // A machine-oriented identifier reference to a component. - ComponentUUID string `json:"component-uuid"` - // A description of the component, including information about its function. - Description string `json:"description"` -} - -// A defined component that can be part of an implemented system. -type ComponentDefinitionComponent struct { - ControlImplementations []ControlImplementationSet `json:"control-implementations,omitempty"` - // A description of the component, including information about its function. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Protocols []ServiceProtocolInformation `json:"protocols,omitempty"` - // A summary of the technological or business purpose of the component. - Purpose *string `json:"purpose,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human readable name for the component. - Title string `json:"title"` - // A category describing the purpose of the component. - Type string `json:"type"` - // Provides a globally unique means to identify a given component. - UUID string `json:"uuid"` -} - -// Loads a component definition from another resource. -type ImportComponentDefinition struct { - // A link to a resource that defines a set of components and/or capabilities to import into - // this collection. - Href string `json:"href"` -} - -// A plan of action and milestones which identifies initial and residual risks, deviations, -// and disposition, such as those required by FedRAMP. -type PlanOfActionAndMilestonesPOAM struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Findings []Finding `json:"findings,omitempty"` - ImportSSP *ImportSystemSecurityPlan `json:"import-ssp,omitempty"` - LocalDefinitions *PlanOfActionAndMilestonesLocalDefinitions `json:"local-definitions,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Observations []Observation `json:"observations,omitempty"` - PoamItems []POAMItem `json:"poam-items"` - Risks []IdentifiedRisk `json:"risks,omitempty"` - SystemID *SystemIdentification `json:"system-id,omitempty"` - // A machine-oriented, globally unique identifier with instancescope that can be used to - // reference this POA&M instance in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Allows components, and inventory-items to be defined within the POA&M for circumstances -// where no OSCAL-based SSP exists, or is not delivered with the POA&M. -type PlanOfActionAndMilestonesLocalDefinitions struct { - AssessmentAssets *AssessmentAssets `json:"assessment-assets,omitempty"` - Components []AssessmentAssetsComponent `json:"components,omitempty"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// Describes an individual POA&M item. -type POAMItem struct { - // A human-readable description of POA&M item. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Origins []PoamItemOrigin `json:"origins,omitempty"` - Props []Property `json:"props,omitempty"` - RelatedFindings []RelatedFinding `json:"related-findings,omitempty"` - RelatedObservations []PoamItemRelatedObservation `json:"related-observations,omitempty"` - RelatedRisks []PoamItemRelatedRisk `json:"related-risks,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // The title or name for this POA&M item . - Title string `json:"title"` - // A machine-oriented, globally unique identifier with instance scope that can be used to - // reference this POA&M item entry in this OSCAL instance. This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// Identifies the source of the finding, such as a tool or person. -type PoamItemOrigin struct { - Actors []OriginatingActor `json:"actors"` -} - -// Relates the poam-item to referenced finding(s). -type RelatedFinding struct { - // A machine-oriented identifier reference to a finding defined in the list of findings. - FindingUUID string `json:"finding-uuid"` -} - -// Relates the poam-item to a set of referenced observations that were used to determine the -// finding. -type PoamItemRelatedObservation struct { - // A machine-oriented identifier reference to an observation defined in the list of - // observations. - ObservationUUID string `json:"observation-uuid"` -} - -// Relates the finding to a set of referenced risks that were used to determine the finding. -type PoamItemRelatedRisk struct { - // A machine-oriented identifier reference to a risk defined in the list of risks. - RiskUUID string `json:"risk-uuid"` -} - -// A human-oriented, globally unique identifier with cross-instance scope that can be used -// to reference this system identification property elsewhere in this or other OSCAL -// instances. When referencing an externally defined system identification, the system -// identification must be used in the context of the external / imported OSCAL instance -// (e.g., uri-reference). This string should be assigned per-subject, which means it should -// be consistently used to identify the same system across revisions of the document. -type SystemIdentification struct { - ID string `json:"id"` - // Identifies the identification system from which the provided identifier was assigned. - IdentifierType *string `json:"identifier-type,omitempty"` -} - -// Each OSCAL profile is defined by a profile element. -type Profile struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - Imports []ImportResource `json:"imports"` - Merge *MergeControls `json:"merge,omitempty"` - Metadata DocumentMetadata `json:"metadata"` - Modify *ModifyControls `json:"modify,omitempty"` - // Provides a globally unique means to identify a given profile instance. - UUID string `json:"uuid"` -} - -// Designates a referenced source catalog or profile that provides a source of control -// information for use in creating a new overlay or baseline. -type ImportResource struct { - ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` - // A resolvable URL reference to the base catalog or profile that this profile is tailoring. - Href string `json:"href"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` -} - -// Select a control or controls from an imported control set. -type ImportExcludeControl struct { - Matching []MatchControlsByPattern `json:"matching,omitempty"` - // When a control is included, whether its child (dependent) controls are also included. - WithChildControls *IncludeContainedControlsWithControl `json:"with-child-controls,omitempty"` - WithIDS []string `json:"with-ids,omitempty"` -} - -// Selecting a set of controls by matching their IDs with a wildcard pattern. -type MatchControlsByPattern struct { - // A glob expression matching the IDs of one or more controls to be selected. - Pattern *string `json:"pattern,omitempty"` -} - -// Provides structuring directives that instruct how controls are organized after profile -// resolution. -type MergeControls struct { - // Indicates that the controls selected should retain their original grouping as defined in - // the import source. - AsIs *bool `json:"as-is,omitempty"` - // A Combine element defines how to resolve duplicate instances of the same control (e.g., - // controls with the same ID). - Combine *CombinationRule `json:"combine,omitempty"` - // Provides an alternate grouping structure that selected controls will be placed in. - Custom *CustomGrouping `json:"custom,omitempty"` - // Directs that controls appear without any grouping structure. - Flat *FlatWithoutGrouping `json:"flat,omitempty"` -} - -// A Combine element defines how to resolve duplicate instances of the same control (e.g., -// controls with the same ID). -type CombinationRule struct { - // Declare how clashing controls should be handled. - Method *CombinationMethod `json:"method,omitempty"` -} - -// Provides an alternate grouping structure that selected controls will be placed in. -type CustomGrouping struct { - Groups []CustomGroup `json:"groups,omitempty"` - InsertControls []InsertControls `json:"insert-controls,omitempty"` -} - -// A group of (selected) controls or of groups of controls. -type CustomGroup struct { - // A textual label that provides a sub-type or characterization of the group. - Class *string `json:"class,omitempty"` - Groups []CustomGroup `json:"groups,omitempty"` - // Identifies the group. - ID *string `json:"id,omitempty"` - InsertControls []InsertControls `json:"insert-controls,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - Props []Property `json:"props,omitempty"` - // A name to be given to the group for use in display. - Title string `json:"title"` -} - -// Specifies which controls to use in the containing context. -type InsertControls struct { - ExcludeControls []ImportExcludeControl `json:"exclude-controls,omitempty"` - IncludeAll *IncludeAll `json:"include-all,omitempty"` - IncludeControls []ImportExcludeControl `json:"include-controls,omitempty"` - // A designation of how a selection of controls in a profile is to be ordered. - Order *Order `json:"order,omitempty"` -} - -// Directs that controls appear without any grouping structure. -type FlatWithoutGrouping struct { -} - -// Set parameters or amend controls in resolution. -type ModifyControls struct { - Alters []Alteration `json:"alters,omitempty"` - SetParameters []ParameterSetting `json:"set-parameters,omitempty"` -} - -// Specifies changes to be made to an included control when a profile is resolved. -type Alteration struct { - Adds []Addition `json:"adds,omitempty"` - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Removes []Removal `json:"removes,omitempty"` -} - -// Specifies contents to be added into controls, in resolution. -type Addition struct { - // Target location of the addition. - ByID *string `json:"by-id,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Params []Parameter `json:"params,omitempty"` - Parts []PartElement `json:"parts,omitempty"` - // Where to add the new content with respect to the targeted element (beside it or inside - // it). - Position *Position `json:"position,omitempty"` - Props []Property `json:"props,omitempty"` - // A name given to the control, which may be used by a tool for display and navigation. - Title *string `json:"title,omitempty"` -} - -// Specifies objects to be removed from a control based on specific aspects of the object -// that must all match. -type Removal struct { - // Identify items to remove by matching their class. - ByClass *string `json:"by-class,omitempty"` - // Identify items to remove indicated by their id. - ByID *string `json:"by-id,omitempty"` - // Identify items to remove by the name of the item's information object name, e.g. title or - // prop. - ByItemName *ItemNameReference `json:"by-item-name,omitempty"` - // Identify items remove by matching their assigned name. - ByName *string `json:"by-name,omitempty"` - // Identify items to remove by the item's ns, which is the namespace associated with a part, - // or prop. - ByNS *string `json:"by-ns,omitempty"` -} - -// A parameter setting, to be propagated to points of insertion. -type ParameterSetting struct { - // A textual label that provides a characterization of the parameter. - Class *string `json:"class,omitempty"` - Constraints []Constraint `json:"constraints,omitempty"` - // **(deprecated)** Another parameter invoking this one. This construct has been deprecated - // and should not be used. - DependsOn *string `json:"depends-on,omitempty"` - Guidelines []Guideline `json:"guidelines,omitempty"` - // A short, placeholder name for the parameter, which can be used as a substitute for a - // value if no value is assigned. - Label *string `json:"label,omitempty"` - Links []LinkElement `json:"links,omitempty"` - // An identifier for the parameter. - ParamID string `json:"param-id"` - Props []Property `json:"props,omitempty"` - Select *Selection `json:"select,omitempty"` - // Describes the purpose and use of a parameter. - Usage *string `json:"usage,omitempty"` - Values []string `json:"values,omitempty"` -} - -// A system security plan, such as those described in NIST SP 800-18. -type SystemSecurityPlanSSP struct { - BackMatter *BackMatter `json:"back-matter,omitempty"` - ControlImplementation ControlImplementationClass `json:"control-implementation"` - ImportProfile ImportProfile `json:"import-profile"` - Metadata DocumentMetadata `json:"metadata"` - SystemCharacteristics SystemCharacteristics `json:"system-characteristics"` - SystemImplementation SystemImplementation `json:"system-implementation"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. - // The locally defined UUID of the SSP can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes how the system satisfies a set of controls. -type ControlImplementationClass struct { - // A statement describing important things to know about how this set of control - // satisfaction documentation is approached. - Description string `json:"description"` - ImplementedRequirements []ControlBasedRequirement `json:"implemented-requirements"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` -} - -// Describes how the system satisfies the requirements of an individual control. -type ControlBasedRequirement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - // A reference to a control with a corresponding id value. When referencing an externally - // defined control, the Control Identifier Reference must be used in the context of the - // external / imported OSCAL instance (e.g., uri-reference). - ControlID string `json:"control-id"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - Statements []SpecificControlStatement `json:"statements,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control requirement elsewhere in this or other OSCAL instances. The - // locally defined UUID of the control requirement can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Defines how the referenced component implements a set of controls. -type ComponentControlImplementation struct { - // A machine-oriented identifier reference to the component that is implemeting a given - // control. - ComponentUUID string `json:"component-uuid"` - // An implementation statement that describes how a control or a control statement is - // implemented within the referenced system component. - Description string `json:"description"` - // Identifies content intended for external consumption, such as with leveraged - // organizations. - Export *Export `json:"export,omitempty"` - ImplementationStatus *ImplementationStatus `json:"implementation-status,omitempty"` - Inherited []InheritedControlImplementation `json:"inherited,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - Satisfied []SatisfiedControlImplementationResponsibility `json:"satisfied,omitempty"` - SetParameters []SetParameterValue `json:"set-parameters,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this by-component entry elsewhere in this or other OSCAL instances. The - // locally defined UUID of the by-component entry can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies content intended for external consumption, such as with leveraged -// organizations. -type Export struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be available to another system leveraging this system. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Provided []ProvidedControlImplementation `json:"provided,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Responsibilities []ControlImplementationResponsibility `json:"responsibilities,omitempty"` -} - -// Describes a capability which may be inherited by a leveraging system. -type ProvidedControlImplementation struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that can be provided to another system leveraging this system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this provided entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the provided entry can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation responsibility imposed on a leveraging system. -type ControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of the control or control - // statement implementation that a leveraging system must implement to satisfy the control - // provided by a leveraged system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this responsibility elsewhere in this or other OSCAL instances. The locally - // defined UUID of the responsibility can be used to reference the data item locally or - // globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, - // which means it should be consistently used to identify the same subject across revisions - // of the document. - UUID string `json:"uuid"` -} - -// Describes a control implementation inherited by a leveraging system. -type InheritedControlImplementation struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is inheriting from a leveraged system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A machine-oriented identifier reference to an inherited control implementation that a - // leveraging system is inheriting from a leveraged system. - ProvidedUUID *string `json:"provided-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this inherited entry elsewhere in this or other OSCAL instances. The locally - // defined UUID of the inherited control implementation can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Describes how this system satisfies a responsibility imposed by a leveraged system. -type SatisfiedControlImplementationResponsibility struct { - // An implementation statement that describes the aspects of a control or control statement - // implementation that a leveraging system is implementing based on a requirement from a - // leveraged system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented identifier reference to a control implementation that satisfies a - // responsibility imposed by a leveraged system. - ResponsibilityUUID *string `json:"responsibility-uuid,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this satisfied control implementation entry elsewhere in this or other OSCAL - // instances. The locally defined UUID of the control implementation can be used to - // reference the data item locally or globally (e.g., in an imported OSCAL instance). This - // UUID should be assigned per-subject, which means it should be consistently used to - // identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Identifies which statements within a control are addressed. -type SpecificControlStatement struct { - ByComponents []ComponentControlImplementation `json:"by-components,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleRoles []ResponsibleRole `json:"responsible-roles,omitempty"` - // A human-oriented identifier reference to a control statement. - StatementID string `json:"statement-id"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this control statement elsewhere in this or other OSCAL instances. The UUID - // of the control statement in the source OSCAL instance is sufficient to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). - UUID string `json:"uuid"` -} - -// Used to import the OSCAL profile representing the system's control baseline. -type ImportProfile struct { - // A resolvable URL reference to the profile or catalog to use as the system's control - // baseline. - Href string `json:"href"` - Remarks *string `json:"remarks,omitempty"` -} - -// Contains the characteristics of the system, such as its name, purpose, and security -// impact level. -type SystemCharacteristics struct { - AuthorizationBoundary AuthorizationBoundary `json:"authorization-boundary"` - DataFlow *DataFlow `json:"data-flow,omitempty"` - DateAuthorized *string `json:"date-authorized,omitempty"` - // A summary of the system. - Description string `json:"description"` - Links []LinkElement `json:"links,omitempty"` - NetworkArchitecture *NetworkArchitecture `json:"network-architecture,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - ResponsibleParties []ResponsibleParty `json:"responsible-parties,omitempty"` - SecurityImpactLevel *SecurityImpactLevel `json:"security-impact-level,omitempty"` - // The overall information system sensitivity categorization, such as defined by FIPS-199. - SecuritySensitivityLevel *string `json:"security-sensitivity-level,omitempty"` - Status SystemCharacteristicsStatus `json:"status"` - SystemIDS []SystemIdentification `json:"system-ids"` - SystemInformation SystemInformation `json:"system-information"` - // The full name of the system. - SystemName string `json:"system-name"` - // A short name for the system, such as an acronym, that is suitable for display in a data - // table or summary list. - SystemNameShort *string `json:"system-name-short,omitempty"` -} - -// A description of this system's authorization boundary, optionally supplemented by -// diagrams that illustrate the authorization boundary. -type AuthorizationBoundary struct { - // A summary of the system's authorization boundary. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A graphic that provides a visual representation the system, or some aspect of it. -type Diagram struct { - // A brief caption to annotate the diagram. - Caption *string `json:"caption,omitempty"` - // A summary of the diagram. - Description *string `json:"description,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this diagram elsewhere in this or other OSCAL instances. The locally defined - // UUID of the diagram can be used to reference the data item locally or globally (e.g., in - // an imported OSCAL instance). This UUID should be assigned per-subject, which means it - // should be consistently used to identify the same subject across revisions of the document. - UUID string `json:"uuid"` -} - -// A description of the logical flow of information within the system and across its -// boundaries, optionally supplemented by diagrams that illustrate these flows. -type DataFlow struct { - // A summary of the system's data flow. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// A description of the system's network architecture, optionally supplemented by diagrams -// that illustrate the network architecture. -type NetworkArchitecture struct { - // A summary of the system's network architecture. - Description string `json:"description"` - Diagrams []Diagram `json:"diagrams,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` -} - -// The overall level of expected impact resulting from unauthorized disclosure, -// modification, or loss of access to information. -type SecurityImpactLevel struct { - // A target-level of availability for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveAvailability string `json:"security-objective-availability"` - // A target-level of confidentiality for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveConfidentiality string `json:"security-objective-confidentiality"` - // A target-level of integrity for the system, based on the sensitivity of information - // within the system. - SecurityObjectiveIntegrity string `json:"security-objective-integrity"` -} - -// Describes the operational status of the system. -type SystemCharacteristicsStatus struct { - Remarks *string `json:"remarks,omitempty"` - // The current operating status. - State FluffyState `json:"state"` -} - -// Contains details about all information types that are stored, processed, or transmitted -// by the system, such as privacy information, and those defined in NIST SP 800-60. -type SystemInformation struct { - InformationTypes []InformationType `json:"information-types"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` -} - -// Contains details about one information type that is stored, processed, or transmitted by -// the system, such as privacy information, and those defined in NIST SP 800-60. -type InformationType struct { - AvailabilityImpact *ImpactLevel `json:"availability-impact,omitempty"` - Categorizations []InformationTypeCategorization `json:"categorizations,omitempty"` - ConfidentialityImpact *ImpactLevel `json:"confidentiality-impact,omitempty"` - // A summary of how this information type is used within the system. - Description string `json:"description"` - IntegrityImpact *ImpactLevel `json:"integrity-impact,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - // A human readable name for the information type. This title should be meaningful within - // the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope that can be used - // to reference this information type elsewhere in this or other OSCAL instances. The - // locally defined UUID of the information type can be used to reference the data item - // locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned - // per-subject, which means it should be consistently used to identify the same subject - // across revisions of the document. - UUID *string `json:"uuid,omitempty"` -} - -// The expected level of impact resulting from the described information. -type ImpactLevel struct { - AdjustmentJustification *string `json:"adjustment-justification,omitempty"` - Base string `json:"base"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Selected *string `json:"selected,omitempty"` -} - -// A set of information type identifiers qualified by the given identification system used, -// such as NIST SP 800-60. -type InformationTypeCategorization struct { - InformationTypeIDS []string `json:"information-type-ids,omitempty"` - // Specifies the information type identification system used. - System string `json:"system"` -} - -// Provides information as to how the system is implemented. -type SystemImplementation struct { - Components []AssessmentAssetsComponent `json:"components"` - InventoryItems []InventoryItem `json:"inventory-items,omitempty"` - LeveragedAuthorizations []LeveragedAuthorization `json:"leveraged-authorizations,omitempty"` - Links []LinkElement `json:"links,omitempty"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - Users []SystemUser `json:"users"` -} - -// A description of another authorized system from which this system inherits capabilities -// that satisfy security requirements. Another term for this concept is a common control -// provider. -type LeveragedAuthorization struct { - DateAuthorized string `json:"date-authorized"` - Links []LinkElement `json:"links,omitempty"` - // A machine-oriented identifier reference to the party that manages the leveraged system. - PartyUUID string `json:"party-uuid"` - Props []Property `json:"props,omitempty"` - Remarks *string `json:"remarks,omitempty"` - // A human readable name for the leveraged authorization in the context of the system. - Title string `json:"title"` - // A machine-oriented, globally unique identifier with cross-instance scope and can be used - // to reference this leveraged authorization elsewhere in this or other OSCAL instances. The - // locally defined UUID of the leveraged authorization can be used to reference the data - // item locally or globally (e.g., in an imported OSCAL instance). This UUID should be - // assigned per-subject, which means it should be consistently used to identify the same - // subject across revisions of the document. - UUID string `json:"uuid"` -} - -// Indicates the transport type. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Transport string - -const ( - TCP Transport = "TCP" - UDP Transport = "UDP" -) - -// The operational status. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type PurpleState string - -const ( - PurpleDisposition PurpleState = "disposition" - PurpleOperational PurpleState = "operational" - PurpleOther PurpleState = "other" - PurpleUnderDevelopment PurpleState = "under-development" -) - -// A category describing the kind of party the object describes. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type PartyType string - -const ( - Organization PartyType = "organization" - Person PartyType = "person" -) - -// The unit of time for the period. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type TimeUnit string - -const ( - Days TimeUnit = "days" - Hours TimeUnit = "hours" - Minutes TimeUnit = "minutes" - Months TimeUnit = "months" - Seconds TimeUnit = "seconds" - Years TimeUnit = "years" -) - -// The kind of actor. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ActorType string - -const ( - AssessmentPlatform ActorType = "assessment-platform" - Party ActorType = "party" - Tool ActorType = "tool" -) - -// An indication as to whether the objective is satisfied or not. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ObjectiveStatusState string - -const ( - NotSatisfied ObjectiveStatusState = "not-satisfied" - Satisfied ObjectiveStatusState = "satisfied" -) - -// Identifies the type of the target. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type FindingTargetType string - -const ( - ObjectiveID FindingTargetType = "objective-id" - StatementID FindingTargetType = "statement-id" -) - -// Describes the number of selections that must occur. Without this setting, only one value -// should be assumed to be permitted. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ParameterCardinality string - -const ( - One ParameterCardinality = "one" - OneOrMore ParameterCardinality = "one-or-more" -) - -// When a control is included, whether its child (dependent) controls are also included. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type IncludeContainedControlsWithControl string - -const ( - No IncludeContainedControlsWithControl = "no" - Yes IncludeContainedControlsWithControl = "yes" -) - -// Declare how clashing controls should be handled. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type CombinationMethod string - -const ( - CombinationMethodKeep CombinationMethod = "keep" - Merge CombinationMethod = "merge" - UseFirst CombinationMethod = "use-first" -) - -// A designation of how a selection of controls in a profile is to be ordered. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Order string - -const ( - Ascending Order = "ascending" - Descending Order = "descending" - OrderKeep Order = "keep" -) - -// Where to add the new content with respect to the targeted element (beside it or inside -// it). -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type Position string - -const ( - After Position = "after" - Before Position = "before" - Ending Position = "ending" - Starting Position = "starting" -) - -// Identify items to remove by the name of the item's information object name, e.g. title or -// prop. -// -// Name of the file before it was encoded as Base64 to be embedded in a resource. This is -// the name that will be assigned to the file when the file is decoded. -// -// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. -// https://www.w3.org/TR/xmlschema11-2/#NCName. -// -// A textual label that provides a sub-type or characterization of the property's name. -// -// An identifier for relating distinct sets of properties. -// -// A textual label, within a namespace, that uniquely identifies a specific attribute, -// characteristic, or quality of the property's containing object. -// -// A textual label that provides a sub-type or characterization of the control. -// -// Identifies a control such that it can be referenced in the defining catalog and other -// OSCAL instances (e.g., profiles). -// -// A textual label that provides a characterization of the type, purpose, use or scope of -// the parameter. -// -// (deprecated) Another parameter invoking this one. This construct has been deprecated and -// should not be used. -// -// A unique identifier for the parameter. -// -// An optional textual providing a sub-type or characterization of the part's name, or a -// category to which the part belongs. -// -// A unique identifier for the part. -// -// A textual label that uniquely identifies the part's semantic type, which exists in a -// value space qualified by the ns. -// -// A textual label that provides a sub-type or characterization of the group. -// -// Identifies the group for the purpose of cross-linking within the defining instance or -// from other instances that reference the catalog. -// -// A reference to a role performed by a party. -// -// The type of action documented by the assembly, such as an approval. -// -// A unique identifier for the role. -// -// Identifies the group. -// -// Target location of the addition. -// -// A reference to a control with a corresponding id value. When referencing an externally -// defined control, the Control Identifier Reference must be used in the context of the -// external / imported OSCAL instance (e.g., uri-reference). -// -// Identify items to remove by matching their class. -// -// Identify items to remove indicated by their id. -// -// Identify items remove by matching their assigned name. -// -// Identify items to remove by the item's ns, which is the namespace associated with a part, -// or prop. -// -// A textual label that provides a characterization of the parameter. -// -// **(deprecated)** Another parameter invoking this one. This construct has been deprecated -// and should not be used. -// -// An identifier for the parameter. -// -// A human-oriented identifier reference to a role performed. -// -// A human-oriented reference to a parameter within a control, who's catalog has been -// imported into the current implementation context. -// -// A human-oriented identifier reference to a control statement. -// -// Points to an assessment objective. -// -// Used to constrain the selection to only specificity identified statements. -// -// A textual label that provides a sub-type or characterization of the part's name. This can -// be used to further distinguish or discriminate between the semantics of multiple parts of -// the same control with the same name and ns. -// -// A point to the role-id of the role in which the party is making the log entry. -// -// For a party, this can optionally be used to specify the role the actor was performing. -// -// A machine-oriented identifier reference for a specific target qualified by the type. -// -// The name of the risk metric within the specified system. -// -// Selecting a control by its ID given as a literal. -// -// Reference to a role by UUID. -// -// Describes the type of relationship provided by the link's hypertext reference. This can -// be an indicator of the link's purpose. -// -// Indicates the type of address. -// -// Identifies the implementation status of the control or control objective. -// -// Used to indicate the type of object pointed to by the uuid-ref within a subject. -// -// Indicates the type of assessment subject, such as a component, inventory, item, location, -// or party represented by this selection statement. -// -// The type of task. -// -// A textual label that uniquely identifies the part's semantic type. -// -// The reason the objective was given it's status. -// -// Identifies the nature of the observation. More than one may be used to further qualify -// and enable filtering. -// -// Identifies whether this is a recommendation, such as from an assessor or tool, or an -// actual plan accepted by the system owner. -// -// Describes the status of the associated risk. -type ItemNameReference string - -const ( - Link ItemNameReference = "link" - Map ItemNameReference = "map" - Mapping ItemNameReference = "mapping" - Param ItemNameReference = "param" - Part ItemNameReference = "part" - Prop ItemNameReference = "prop" -) - -// The current operating status. -// -// A label that indicates the nature of a resource, as a data serialization or format. -// -// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, -// U+10, U+32 or [ -// ]+ -// -// In case where the href points to a back-matter/resource, this value will indicate the URI -// fragment to append to any rlink associated with the resource. This value MUST be URI -// encoded. -// -// Indicates the value of the attribute, characteristic, or quality. -// -// A formal (executable) expression of a constraint. -// -// City, town or geographical region for the mailing address. -// -// The ISO 3166-1 alpha-2 country code for the mailing address. -// -// Postal or ZIP code for mailing address. -// -// State, province or analogous geographical region for a mailing address. -// -// The full name of the party. This is typically the legal name associated with the party. -// -// A short common name, abbreviation, or acronym for the party. -// -// A short common name, abbreviation, or acronym for the role. -// -// A glob expression matching the IDs of one or more controls to be selected. -// -// A parameter value or set of values. -// -// The capability's human-readable name. -// -// The common name of the protocol, which should be the appropriate "service name" from the -// IANA Service Name and Transport Protocol Port Number Registry. -// -// A target-level of availability for the system, based on the sensitivity of information -// within the system. -// -// A target-level of confidentiality for the system, based on the sensitivity of information -// within the system. -// -// A target-level of integrity for the system, based on the sensitivity of information -// within the system. -// -// The overall information system sensitivity categorization, such as defined by FIPS-199. -// -// A human-oriented, globally unique identifier qualified by the given identification system -// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to -// reference this system elsewhere in this or other OSCAL instances. This id should be -// assigned per-subject, which means it should be consistently used to identify the same -// subject across revisions of the document. -// -// The full name of the system. -// -// A short name for the system, such as an acronym, that is suitable for display in a data -// table or summary list. -// -// A short common name, abbreviation, or acronym for the user. -// -// Indicates the value of the facet. -// -// A single line of an address. -// -// The OSCAL model version the document was authored against and will conform to as valid. -// -// Used to distinguish a specific revision of an OSCAL document from other previous and -// future versions. -// -// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. -// -// The selected (Confidentiality, Integrity, or Availability) security impact level. -// -// Describes a function performed for a given authorized privilege by this user class. -// -// The digest method by which a hash is derived. -// -// Indicates the type of phone number. -// -// A category describing the purpose of the component. -// -// Identifies how the observation was made. -type FluffyState string - -const ( - FluffyDisposition FluffyState = "disposition" - FluffyOperational FluffyState = "operational" - FluffyOther FluffyState = "other" - FluffyUnderDevelopment FluffyState = "under-development" - UnderMajorModification FluffyState = "under-major-modification" -) From 356853dc274cc60a16802465f6dd27a01ecfd626 Mon Sep 17 00:00:00 2001 From: "Cole (Mike) Winberry" Date: Wed, 11 Sep 2024 14:40:19 -0700 Subject: [PATCH 3/5] refactor: remove generate function and associated code --- src/cmd/generate/generate.go | 67 ---- src/cmd/generate/generate_e2e_test.go | 308 -------------- src/cmd/generate/generate_test.go | 74 ---- src/cmd/root.go | 2 - src/internal/generate/generate.go | 356 ----------------- src/internal/generate/generate_ref_queue.go | 44 -- src/internal/generate/generate_test.go | 383 ------------------ src/internal/generate/generate_utils.go | 398 ------------------- src/internal/generate/generate_utils_test.go | 335 ---------------- 9 files changed, 1967 deletions(-) delete mode 100644 src/cmd/generate/generate.go delete mode 100644 src/cmd/generate/generate_e2e_test.go delete mode 100644 src/cmd/generate/generate_test.go delete mode 100644 src/internal/generate/generate.go delete mode 100644 src/internal/generate/generate_ref_queue.go delete mode 100644 src/internal/generate/generate_test.go delete mode 100644 src/internal/generate/generate_utils.go delete mode 100644 src/internal/generate/generate_utils_test.go diff --git a/src/cmd/generate/generate.go b/src/cmd/generate/generate.go deleted file mode 100644 index 58b60a8c..00000000 --- a/src/cmd/generate/generate.go +++ /dev/null @@ -1,67 +0,0 @@ -package generate - -import ( - "fmt" - "log" - "os" - - "github.com/defenseunicorns/go-oscal/src/internal/generate" - "github.com/defenseunicorns/go-oscal/src/pkg/files" - "github.com/defenseunicorns/go-oscal/src/pkg/tags" - - "github.com/spf13/cobra" -) - -var opts = &generate.BaseFlags{} - -var GenerateCmd = &cobra.Command{ - Use: "generate", - Short: "generate Golang data types from OSCAL schema", - Long: "Generate Golang data types from OSCAL Complete schema.", - // Example: generateHelp, - RunE: func(cmd *cobra.Command, componentDefinitionPaths []string) error { - - output, err := GenerateCommand(*opts) - if err != nil { - return err - } - // Write the Go struct output to either stdout or a file. - if opts.OutputFile == "" { - log.Println(string(output)) - } else { - err = files.WriteOutput(output, opts.OutputFile) - if err != nil { - return fmt.Errorf("failed to write output to file: %s", err) - } - } - return nil - }, -} - -func GenerateCommand(flags generate.BaseFlags) (output []byte, err error) { - schemaBytes, err := os.ReadFile(flags.InputFile) - if err != nil { - return - } - - tagList, err := tags.FormatTags(flags.Tags) - if err != nil { - return - } - - // Generate the Go structs. - output, err = generate.Generate(schemaBytes, flags.Pkg, tagList) - if err != nil { - return output, fmt.Errorf("failed to generate Go structs: %s", err) - } - - return -} - -func init() { - GenerateCmd.Flags().StringVarP(&opts.InputFile, "input-file", "f", "", "the path to a oscal json schema file") - GenerateCmd.Flags().StringVarP(&opts.OutputFile, "output-file", "o", "", "the name of the file to write the output to (outputs to STDOUT by default)") - GenerateCmd.Flags().StringVarP(&opts.Pkg, "pkg", "p", "main", "the name of the package for the generated code") - GenerateCmd.Flags().StringVarP(&opts.Tags, "tags", "t", "json,yaml", "comma separated list of the tags to put on the struct") - GenerateCmd.MarkFlagRequired("input-file") -} diff --git a/src/cmd/generate/generate_e2e_test.go b/src/cmd/generate/generate_e2e_test.go deleted file mode 100644 index 75142d42..00000000 --- a/src/cmd/generate/generate_e2e_test.go +++ /dev/null @@ -1,308 +0,0 @@ -package generate_test - -import ( - "encoding/json" - "os" - "reflect" - "strings" - "testing" - - oscalTypes_1_0_4 "github.com/defenseunicorns/go-oscal/src/types/oscal-1-0-4" - oscalTypes_1_1_1 "github.com/defenseunicorns/go-oscal/src/types/oscal-1-1-1" - "gopkg.in/yaml.v3" -) - -var ( - keysToNotRecurse = map[string]bool{ - "flat": true, - "include-all": true, - } - rev4YamlPath = "../../../testdata/generation/e2e/rev4/yaml/" - rev4JsonPath = "../../../testdata/generation/e2e/rev4/json/" - rev5YamlPath = "../../../testdata/generation/e2e/rev5/yaml/" - rev5JsonPath = "../../../testdata/generation/e2e/rev5/json/" - oscal104Types = "../../types/oscal-1-0-4/types.go" - oscal111Types = "../../types/oscal-1-1-1/types.go" -) - -// TestFedrampBaselineYamlFieldsInTypes tests that the fields in the yaml files are present in the types.go files -// for the fedramp baseline schemas. While this test is not exhaustive, -// it is a good way to capture any missing fields in the types.go files should they arise. -func TestFedrampBaselineYamlFieldsInTypes(t *testing.T) { - t.Parallel() - - t.Run("Rev4", func(t *testing.T) { - t.Parallel() - typeBytes, err := os.ReadFile(oscal104Types) - if err != nil { - t.Fatal(err) - } - - dir, err := os.ReadDir(rev4YamlPath) - if err != nil { - t.Fatal(err) - } - for _, file := range dir { - - bytes, err := os.ReadFile(rev4YamlPath + file.Name()) - if err != nil { - t.Fatal(err) - } - oscalDoc := map[string]interface{}{} - err = yaml.Unmarshal(bytes, &oscalDoc) - if err != nil { - t.Fatal(err) - } - ValidateKeys(oscalDoc, string(typeBytes), t) - } - }) - - t.Run("Rev5", func(t *testing.T) { - t.Parallel() - typeBytes, err := os.ReadFile(oscal111Types) - if err != nil { - t.Fatal(err) - } - - dir, err := os.ReadDir(rev5YamlPath) - if err != nil { - t.Fatal(err) - } - for _, file := range dir { - - bytes, err := os.ReadFile(rev5YamlPath + file.Name()) - if err != nil { - t.Fatal(err) - } - oscalDoc := map[string]interface{}{} - err = yaml.Unmarshal(bytes, &oscalDoc) - if err != nil { - t.Fatal(err) - } - ValidateKeys(oscalDoc, string(typeBytes), t) - } - - }) -} - -// TestFieldStability tests that the fields in the yaml files are stable when marshaled and unmarshaled -// for the fedramp baseline schemas. -// This is important to ensure that the fields are not lost when marshaled and unmarshaled. -func TestFieldStability(t *testing.T) { - t.Parallel() - - t.Run("Rev4", func(t *testing.T) { - t.Parallel() - dir, err := os.ReadDir(rev4YamlPath) - if err != nil { - t.Fatal(err) - } - - for _, file := range dir { - - bytes, err := os.ReadFile(rev4YamlPath + file.Name()) - if err != nil { - t.Fatal(err) - } - oscalDoc := oscalTypes_1_0_4.OscalCompleteSchema{} - err = yaml.Unmarshal(bytes, &oscalDoc) - if err != nil { - t.Fatal(err) - } - - // Marshal the document back to yaml - marshaled, err := yaml.Marshal(oscalDoc) - if err != nil { - t.Fatal(err) - } - - actual := map[string]interface{}{} - expected := map[string]interface{}{} - err = yaml.Unmarshal(marshaled, &actual) - if err != nil { - t.Fatal(err) - } - err = yaml.Unmarshal(bytes, &expected) - if err != nil { - t.Fatal(err) - } - - if !reflect.DeepEqual(actual, expected) { - t.Error("expected marshaled yaml to be equal to the original yaml") - } - - } - }) - - t.Run("Rev5", func(t *testing.T) { - t.Parallel() - dir, err := os.ReadDir(rev5YamlPath) - if err != nil { - t.Fatal(err) - } - - for _, file := range dir { - - bytes, err := os.ReadFile(rev5YamlPath + file.Name()) - if err != nil { - t.Fatal(err) - } - oscalDoc := oscalTypes_1_1_1.OscalCompleteSchema{} - err = yaml.Unmarshal(bytes, &oscalDoc) - if err != nil { - t.Fatal(err) - } - - // Marshal the document back to yaml - marshaled, err := yaml.Marshal(oscalDoc) - if err != nil { - t.Fatal(err) - } - - actual := map[string]interface{}{} - expected := map[string]interface{}{} - err = yaml.Unmarshal(marshaled, &actual) - if err != nil { - t.Fatal(err) - } - err = yaml.Unmarshal(bytes, &expected) - if err != nil { - t.Fatal(err) - } - - if !reflect.DeepEqual(actual, expected) { - t.Error("expected marshaled yaml to be equal to the original yaml") - } - - } - }) -} - -func TestNoExtraJsonFields(t *testing.T) { - t.Parallel() - - t.Run("Rev4", func(t *testing.T) { - t.Parallel() - dir, err := os.ReadDir(rev4JsonPath) - if err != nil { - t.Fatal(err) - } - - for _, file := range dir { - bytes, err := os.ReadFile(rev4JsonPath + file.Name()) - if err != nil { - t.Fatal(err) - } - oscalDoc := oscalTypes_1_0_4.OscalCompleteSchema{} - err = json.Unmarshal(bytes, &oscalDoc) - if err != nil { - t.Fatal(err) - } - - // Marshal the document back to yaml - marshaled, err := json.Marshal(oscalDoc) - if err != nil { - t.Fatal(err) - } - - actual := map[string]interface{}{} - expected := map[string]interface{}{} - err = json.Unmarshal(marshaled, &actual) - if err != nil { - t.Fatal(err) - } - err = json.Unmarshal(bytes, &expected) - if err != nil { - t.Fatal(err) - } - - if !validateMapKeys(actual, expected) { - t.Error("expected marshaled json to be equal to the original json") - } - } - }) - t.Run("Rev5", func(t *testing.T) { - t.Parallel() - dir, err := os.ReadDir(rev5JsonPath) - if err != nil { - t.Fatal(err) - } - - for _, file := range dir { - bytes, err := os.ReadFile(rev5JsonPath + file.Name()) - if err != nil { - t.Fatal(err) - } - oscalDoc := oscalTypes_1_1_1.OscalCompleteSchema{} - err = json.Unmarshal(bytes, &oscalDoc) - if err != nil { - t.Fatal(err) - } - - // Marshal the document back to yaml - marshaled, err := json.Marshal(oscalDoc) - if err != nil { - t.Fatal(err) - } - - actual := map[string]interface{}{} - expected := map[string]interface{}{} - err = json.Unmarshal(marshaled, &actual) - if err != nil { - t.Fatal(err) - } - err = json.Unmarshal(bytes, &expected) - if err != nil { - t.Fatal(err) - } - - if !validateMapKeys(actual, expected) { - t.Error("expected marshaled json to be equal to the original json") - } - } - }) - -} - -func ValidateKeys(model map[string]interface{}, typeString string, t *testing.T) { - for key, value := range model { - if !strings.Contains(typeString, "yaml:\""+key) { - t.Errorf("expected key %s not found", key) - } - - // If the model is a map find the next value - if rootAsMap, ok := value.(map[string]interface{}); ok { - if _, ok := keysToNotRecurse[key]; !ok { - ValidateKeys(rootAsMap, typeString, t) - } - } - - // If the model is a rootAsSlice find the next value - if rootAsSlice, ok := value.([]interface{}); ok { - if len(rootAsSlice) > 0 { - if rootAsMap, ok := rootAsSlice[0].(map[string]interface{}); ok { - ValidateKeys(rootAsMap, typeString, t) - } - } - } - } -} - -func collectKeys(mapData map[string]interface{}, keys map[string]struct{}) { - for key, value := range mapData { - keys[key] = struct{}{} - if nestedMap, ok := value.(map[string]interface{}); ok { - collectKeys(nestedMap, keys) - } - } -} - -func validateMapKeys(map1, map2 map[string]interface{}) bool { - keys1 := make(map[string]struct{}) - keys2 := make(map[string]struct{}) - - collectKeys(map1, keys1) - collectKeys(map2, keys2) - - return reflect.DeepEqual(keys1, keys2) -} diff --git a/src/cmd/generate/generate_test.go b/src/cmd/generate/generate_test.go deleted file mode 100644 index e981bbe5..00000000 --- a/src/cmd/generate/generate_test.go +++ /dev/null @@ -1,74 +0,0 @@ -package generate - -import ( - "bytes" - "strings" - "testing" - - "github.com/defenseunicorns/go-oscal/src/gooscaltest" -) - -func TestGenerateCmd(t *testing.T) { - t.Parallel() - testInput := "../../internal/schemas/oscal_complete_schema-1-0-4.json" - packageName := "oscalTypes" - tags := "json,yaml" - tempDir := t.TempDir() - GenerateCmd.SetOut(new(bytes.Buffer)) - - logOutput := gooscaltest.RedirectLog(t) - - t.Run("baseline", func(t *testing.T) { - expectedValues := []string{"Catalog", "Profile", "ComponentDefinition", "SystemSecurityPlan", "AssessmentPlan", "AssessmentResults", "PlanOfActionAndMilestones", "yaml:", "json"} - - GenerateCmd.SetArgs([]string{"-f", testInput, "-t", tags, "-p", packageName}) - err := GenerateCmd.Execute() - if err != nil { - t.Error("expected nil, got", err) - } - actual := string(gooscaltest.ReadLog(t, logOutput)) - - t.Run("generates a go types document that gets logged if no output file is provided", func(t *testing.T) { - for _, val := range expectedValues { - if !strings.Contains(actual, val) { - t.Error("expected", val, "got", actual) - } - } - }) - - t.Run("sets the package name using the -p flag", func(t *testing.T) { - if !strings.Contains(actual, "package "+packageName) { - t.Error("expected package oscalTypes, got", actual) - } - }) - }) - - t.Run("input-file", func(t *testing.T) { - - t.Run("returns an error if no inputfile is provided", func(t *testing.T) { - GenerateCmd.SetArgs([]string{"-f", ""}) - err := GenerateCmd.Execute() - if err == nil { - t.Errorf("Expected error, got nil") - } - }) - t.Run("returns an error if it fails to read the input file", func(t *testing.T) { - GenerateCmd.SetArgs([]string{"-f", "non-existant.json"}) - err := GenerateCmd.Execute() - if err == nil { - t.Errorf("Expected error, got nil") - } - }) - }) - - t.Run("output-file", func(t *testing.T) { - t.Run("outputs to a file if the -o flag is provided", func(t *testing.T) { - outputFile := tempDir + "/test_output.go" - GenerateCmd.SetArgs([]string{"-f", testInput, "-o", outputFile}) - err := GenerateCmd.Execute() - if err != nil { - t.Error("expected nil, got", err) - } - }) - }) -} diff --git a/src/cmd/root.go b/src/cmd/root.go index a69b10c5..49161808 100644 --- a/src/cmd/root.go +++ b/src/cmd/root.go @@ -6,7 +6,6 @@ import ( "os" "github.com/defenseunicorns/go-oscal/src/cmd/doctor" - "github.com/defenseunicorns/go-oscal/src/cmd/generate" "github.com/defenseunicorns/go-oscal/src/cmd/revise" "github.com/defenseunicorns/go-oscal/src/cmd/validate" "github.com/defenseunicorns/go-oscal/src/internal/logging" @@ -46,7 +45,6 @@ func init() { // This is called by main.main(). It only needs to happen once to the rootCmd. func Execute() { commands := []*cobra.Command{ - generate.GenerateCmd, revise.ReviseCmd, validate.ValidateCmd, doctor.DoctorCmd, diff --git a/src/internal/generate/generate.go b/src/internal/generate/generate.go deleted file mode 100644 index 2894a8cc..00000000 --- a/src/internal/generate/generate.go +++ /dev/null @@ -1,356 +0,0 @@ -package generate - -import ( - "fmt" - "go/format" - "reflect" - "slices" - - "github.com/swaggest/jsonschema-go" -) - -// BaseFlags represents command-line flags for the base go-oscal command. -type BaseFlags struct { - InputFile string // -f / --input-file - OutputFile string // -o / --output-file - Pkg string // -p / --pkg - Tags string // -t / --tags -} - -type GeneratorConfig struct { - tags []string - pkgName string - refQueue RefQueue - definitions map[string]jsonschema.Schema - structMap map[string]string - nameMap map[string]string -} - -func NewGeneratorConfig(tags []string, pkgName string) GeneratorConfig { - return GeneratorConfig{ - tags: tags, - pkgName: pkgName, - refQueue: NewRefQueue(), - definitions: map[string]jsonschema.Schema{}, - structMap: map[string]string{}, - nameMap: map[string]string{}, - } -} - -// Generate a struct definition given a JSON string representation of an object. -func Generate(oscalSchema []byte, pkgName string, tags []string) (typeBytes []byte, err error) { - schema, err := populateSchema(oscalSchema) - if err != nil { - return typeBytes, err - } - - config := NewGeneratorConfig(tags, pkgName) - - // Initialize the build process. - err = config.initBuild(&schema) - if err != nil { - return typeBytes, err - } - - err = config.buildStructs() - if err != nil { - return typeBytes, err - } - - // Add header comment - typeString := fmt.Sprintf("%s\n", headerComment) - - // Add the package name - typeString += fmt.Sprintf("package %s\n\n", pkgName) - - // Add additional imports - typeString += buildImportString() - - // Add the struct definitions in order of creation. - for _, ref := range config.refQueue.History() { - typeString += config.structMap[ref] + "\n\n" - } - - typeBytes = []byte(typeString) - - // Format the bytes - typeBytes, err = format.Source(typeBytes) - if err != nil { - return typeBytes, err - } - - return typeBytes, nil -} - -// initBuild initializes the build process by adding the root schema to the ref queue and building the definitions map. -func (c *GeneratorConfig) initBuild(schema *jsonschema.Schema) (err error) { - if schema.ID == nil { - return fmt.Errorf("unable to find $id in schema") - } - - if schema.Definitions != nil { - c.definitions, err = getDefinitionMap(*schema) - if err != nil { - return err - } - } - - // No properties, so we need to add the properties from the oneOf schemas. - if schema.Properties == nil { - schema.Properties = map[string]jsonschema.SchemaOrBool{} - if schema.OneOf != nil { - for _, oneOf := range schema.OneOf { - if oneOf.TypeObject.Properties != nil { - for key, prop := range oneOf.TypeObject.Properties { - if prop.TypeObject.Ref != nil && !RefsToIgnore[*prop.TypeObject.Ref] { - schema.Properties[key] = prop - } - } - } - } - } - } - - // add the schema to the definitions map - c.definitions[*schema.ID] = *schema - // Add the root schema to the ref queue. - c.refQueue.Add(*schema.ID) - return err -} - -func (c *GeneratorConfig) buildStructs() (err error) { - // While the ref queue is not empty, pop the ref and build the struct string. - for c.refQueue.Len() > 0 { - ref := c.refQueue.Pop() - - // Look up the schema for the ref, return an error if not found. - def, ok := c.definitions[ref] - if !ok { - return fmt.Errorf("unable to find schema for %s", ref) - } - - // Build the struct string for the ref. - structString, err := c.buildStructString(def) - if err != nil { - return err - } - - // Add the struct string to the struct map. - c.structMap[ref] = structString - } - - return err -} - -func (c *GeneratorConfig) buildStructString(def jsonschema.Schema) (structString string, err error) { - - // Create a map of required fields - required := map[string]bool{} - for _, req := range def.Required { - required[req] = true - } - - // Get the name of the struct - name, err := c.findSubType(def) - if err != nil { - return structString, err - } - - // create a slice of the keys in the properties map - var keys []string - for key := range def.Properties { - if !KeysToIgnore[key] { - keys = append(keys, key) - } - } - // Sort the keys alphabetically - slices.Sort(keys) - - // If there are no properties, return a map[string]interface{} type - if len(keys) == 0 { - structString = fmt.Sprintf("type %s = map[string]interface{}", name) - return structString, err - } - - // Generate aliases for the struct if they exist - if aliases, ok := Aliases[name]; ok { - for _, alias := range aliases { - structString += fmt.Sprintf("type %s = %s\n", alias, name) - } - } - - // Add top level struct definition - structString += fmt.Sprintf("type %s struct {\n", name) - - // Add the properties to the struct string - for _, key := range keys { - // Set the parent of the property schema to the definition - // Allows for the parent to be used in case of duplicate types - def.Properties[key].TypeObject.Parent = &def - - // Get the property schema - prop := def.Properties[key] - propSchema := prop.TypeObject - - // Build the property name, type, and tags - propName := FmtFieldName(key) - propType, err := c.buildTypeString(*propSchema) - if err != nil { - return structString, err - } - - propType = addPointerIfOptionalNonPrimitive(required[key], propType) - propTags := buildTagString(c.tags, key, required[key]) - structString += fmt.Sprintf("\t%s %s %s\n", propName, propType, propTags) - } - // Close the struct - structString += "}" - if err != nil { - return structString, err - } - - return structString, err -} - -// buildTypeString builds the type string for a given property. -func (c *GeneratorConfig) buildTypeString(property jsonschema.Schema) (propType string, err error) { - var possibleRefs []string - - if property.Type != nil && property.Type.SimpleTypes != nil { - jsonType := getJsonOrCustomType(property) - // convert json type to go type - propType = getGoType(jsonType) - // if the type is not primitive, we need to add the name of the type - if !isPrimitiveOrCustomJsonType(jsonType) { - name, err := c.findSubType(property) - if err != nil { - return "", err - } - propType += name - } - return propType, err - } else if property.Ref != nil { - // If the property is a ref, we need to find the schema for the ref and build the type string for that schema. - def, ok := c.definitions[*property.Ref] - if !ok { - return "", fmt.Errorf("unable to find schema for %s", *property.Ref) - } - // Set the parent of the definition to the property - def.Parent = &property - return c.buildTypeString(def) - - } else { - // TODO: Handle anyOf, allOf, oneOf - // We should be creating new structs for these types. - // Right now assumes that the first is a ref to a primitive per the current patterns. This may not be true. - // Should probably create a new struct with each of the possible types. (logic for creating golang enum?, just use primitives?, "or" types?) - for _, schema := range property.AllOf { - if schema.TypeObject.Ref != nil { - possibleRefs = append(possibleRefs, *schema.TypeObject.Ref) - } - } - for _, schema := range property.AnyOf { - if schema.TypeObject.Ref != nil { - possibleRefs = append(possibleRefs, *schema.TypeObject.Ref) - } - } - // Find the first possible ref and recurse. - if len(possibleRefs) > 0 { - def, ok := c.definitions[possibleRefs[0]] - if !ok { - return "", fmt.Errorf("unable to find schema for %s", possibleRefs[0]) - } - // Set the parent of the definition to the property - def.Parent = &property - return c.buildTypeString(def) - } else { - // Could not determine the type of the prop so return an error. - return "", fmt.Errorf("could not determine type for property %v", property) - } - } -} - -// findSubType finds the name of the type for the given schema. -func (c *GeneratorConfig) findSubType(schema jsonschema.Schema) (name string, err error) { - simpleType := getJsonOrCustomType(schema) - switch simpleType { - case "object": - // If the schema has a ref, we need to find the name of the ref. - ref, err := getRef(schema) - if err != nil { - return name, err - } - // Create a name from the ref - name = getNameFromRef(ref) - // Check if the name is already in use and if so, append the parent name to the name. - ref, name = c.handleDuplicates(ref, name, schema) - c.nameMap[name] = ref - // Add the ref to the ref queue if it is not already in the queue. - c.refQueue.Add(ref) - // Add the schema to the definitions map if it is not already in the map. - if _, ok := c.definitions[ref]; !ok { - c.definitions[ref] = schema - } - case "array": - // If the schema has items, we need to find the name of the items. - if schema.Items.SchemaOrBoolEns() != nil { - def := *schema.Items.SchemaOrBool.TypeObject - def.Parent = &schema - name, err = c.buildTypeString(def) - } else if schema.Items.SchemaArray != nil { - def := *schema.Items.SchemaArray[0].TypeObject - def.Parent = &schema - name, err = c.buildTypeString(def) - } else { - err = fmt.Errorf("could not determine name for %v", schema) - } - case "": - if schema.Ref != nil { - def := c.definitions[*schema.Ref] - def.Parent = &schema - name, err = c.buildTypeString(def) - } else if schema.ID != nil { - def := c.definitions[*schema.ID] - def.Parent = &schema - name, err = c.buildTypeString(def) - } else { - err = fmt.Errorf("could not determine name for %v", schema) - } - default: - name = simpleType - } - - return name, err -} - -// handleDuplicates checks if the name is already in use and if so, appends the parent name to the name. -func (c *GeneratorConfig) handleDuplicates(ref string, name string, schema jsonschema.Schema) (string, string) { - if currentRef, ok := c.nameMap[name]; ok { - // Points to a different definition - if currentRef != ref { - // If the definitions are the same, return the current ref and name - existing := c.definitions[currentRef] - if reflect.DeepEqual(existing, schema) { - return currentRef, name - } - // If the definitions are different, try the title - if schema.Title != nil && (existing.Title == nil || *existing.Title != *schema.Title) { - newName := getNameFromTitle(*schema.Title) - return c.handleDuplicates(getRefWithName(newName), newName, schema) - } - // If the title is the same, try the parent - parent := schema.Parent - parentRef, _ := getRef(*parent) - if parentRef != "" { - prefix := getNameFromRef(parentRef) - if prefix != name { - newName := prefix + name - newRef := "#/definitions/" + newName - return c.handleDuplicates(newRef, newName, *parent) - } - } - return c.handleDuplicates(ref, name, *parent) - } - } - return ref, name -} diff --git a/src/internal/generate/generate_ref_queue.go b/src/internal/generate/generate_ref_queue.go deleted file mode 100644 index 8da3d1cf..00000000 --- a/src/internal/generate/generate_ref_queue.go +++ /dev/null @@ -1,44 +0,0 @@ -package generate - -type RefQueue struct { - refs []string - refMap map[string]bool - refHistory []string -} - -func NewRefQueue() RefQueue { - return RefQueue{ - refs: []string{}, - refMap: map[string]bool{}, - refHistory: []string{}, - } -} - -func (r *RefQueue) Add(ref string) { - if has := r.refMap[ref]; !has { - r.refMap[ref] = true - r.refs = append(r.refs, ref) - r.refHistory = append(r.refHistory, ref) - } -} - -func (r *RefQueue) Pop() string { - if len(r.refs) > 0 { - ref := r.refs[0] - if len(r.refs) != 1 { - r.refs = r.refs[1:] - } else { - r.refs = []string{} - } - return ref - } - return "" -} - -func (r *RefQueue) History() []string { - return r.refHistory -} - -func (r *RefQueue) Len() int { - return len(r.refs) -} diff --git a/src/internal/generate/generate_test.go b/src/internal/generate/generate_test.go deleted file mode 100644 index a78847d1..00000000 --- a/src/internal/generate/generate_test.go +++ /dev/null @@ -1,383 +0,0 @@ -package generate - -import ( - "go/format" - "os" - "strings" - "sync" - "testing" - - "github.com/defenseunicorns/go-oscal/src/pkg/files" - "github.com/swaggest/jsonschema-go" -) - -const ( - schemaPath string = "../schemas/" - fieldsPresentFilePath string = "../../../testdata/fields-present.json" - fieldsMissingFilePath string = "../../../testdata/fields-missing.json" -) - -var ( - schemaMutex = sync.Mutex{} - schemaByteMap = map[string][]byte{} - writeOutput = true - deterministicTestCount = 10 -) - -func TestGenerate(t *testing.T) { - t.Parallel() - getSchemaByteMap(t) - - t.Run("CompleteSchema", func(t *testing.T) { - - for path, schemaBytes := range schemaByteMap { - if !strings.Contains(path, "_complete_schema") { - continue - } - - pkgPath := strings.ReplaceAll(path, "_complete_schema", "") - pkgPath = strings.ReplaceAll(pkgPath, ".json", "") - pkgName := strings.ReplaceAll(pkgPath, "-", "_") - pkgName = strings.ReplaceAll(pkgName, "oscal", "oscalTypes") - - bytes, err := Generate(schemaBytes, pkgName, []string{"json", "yaml"}) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - if writeOutput { - files.WriteOutput(bytes, "../../types/"+pkgPath+"/types.go") - } - } - }) - -} - -func TestGenerateDeterministic(t *testing.T) { - t.Parallel() - getSchemaByteMap(t) - - var previousBytes []byte - - for _, schemaBytes := range schemaByteMap { - previousBytes = nil - for i := 0; i < deterministicTestCount; i++ { - bytes, err := Generate(schemaBytes, "oscalTypes", []string{"json", "yaml"}) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - if previousBytes == nil { - previousBytes = bytes - continue - } - if string(previousBytes) != string(bytes) { - t.Error("expected deterministic output") - } - } - } -} - -func TestBuildStructs(t *testing.T) { - t.Parallel() - getSchemaByteMap(t) - - for _, schemaBytes := range schemaByteMap { - schema, err := buildSchema(schemaBytes) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - config := NewGeneratorConfig([]string{"json", "yaml"}, "oscalTypes") - - err = config.initBuild(&schema) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - err = config.buildStructs() - if err != nil { - t.Errorf("expected no error, got %v", err) - } - var structMap = map[string]string{} - duplicates := []string{} - for k, value := range config.structMap { - firstLine := strings.ReplaceAll(strings.Split(value, "\n")[0], " ", "") - mapValue := structMap[firstLine] - if mapValue == "" { - structMap[firstLine] = k - continue - } - - if mapValue != k { - duplicates = append(duplicates, "Duplicate struct name found: ", k, " and ", mapValue) - } - } - - if len(duplicates) > 0 { - t.Errorf("expected no duplicates, got %v", duplicates) - } - } - -} - -func TestBuildStructString(t *testing.T) { - t.Parallel() - getSchemaByteMap(t) - schema, err := buildSchema(schemaByteMap["oscal_complete_schema-1-1-1.json"]) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - definitions, err := getDefinitionMap(schema) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - t.Run("It builds a struct string given a schema object", func(t *testing.T) { - t.Parallel() - config := GeneratorConfig{ - tags: []string{"json", "yaml"}, - definitions: definitions, - pkgName: "oscalTypes", - refQueue: NewRefQueue(), - nameMap: map[string]string{}, - } - result, err := config.buildStructString(*schema.Definitions["oscal-complete-oscal-catalog:catalog"].TypeObject) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - bytes, err := format.Source([]byte(result)) - if err != nil { - t.Fatal(err) - } - actual := string(bytes) - - bytes, err = os.ReadFile("../../../testdata/generation/structs/catalog.go") - if err != nil { - t.Fatal(err) - } - - expected := string(bytes) - - if actual != expected { - t.Errorf("expected %s, got %s", expected, result) - } - }) - - t.Run("It handles an object with no properties by aliasing it to map[string]interface{} for json representation", func(t *testing.T) { - t.Parallel() - config := GeneratorConfig{ - tags: []string{"json", "yaml"}, - definitions: definitions, - pkgName: "oscalTypes", - refQueue: NewRefQueue(), - nameMap: map[string]string{}, - } - result, err := config.buildStructString(*schema.Definitions["oscal-complete-oscal-control-common:include-all"].TypeObject) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - bytes, err := format.Source([]byte(result)) - if err != nil { - t.Fatal(err) - } - actual := string(bytes) - expected, err := os.ReadFile("../../../testdata/generation/structs/include-all.go") - if err != nil { - t.Fatal(err) - } - - if actual != string(expected) { - t.Errorf("expected %s, got %s", expected, actual) - } - }) - - t.Run("It adds an alias if one exists", func(t *testing.T) { - t.Parallel() - config := NewGeneratorConfig([]string{"json", "yaml"}, "oscalTypes") - config.definitions = definitions - config.initBuild(&schema) - - result, err := config.buildStructString(config.definitions[config.refQueue.Pop()]) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - if !strings.Contains(result, "type OscalModels = OscalCompleteSchema") { - t.Errorf("expected %s to contain %s", result, "type OscalModels = OscalCompleteSchema") - } - - }) -} - -func TestGetTypeSuffix(t *testing.T) { - t.Parallel() - getSchemaByteMap(t) - - schema, err := buildSchema(schemaByteMap["oscal_complete_schema-1-1-1.json"]) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - definitions, err := getDefinitionMap(schema) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - config := GeneratorConfig{ - tags: []string{"json", "yaml"}, - definitions: definitions, - pkgName: "oscalTypes", - refQueue: NewRefQueue(), - nameMap: map[string]string{}, - } - t.Run("It returns the object typename given a schema object", func(t *testing.T) { - result, err := config.findSubType(*schema.Definitions["oscal-complete-oscal-catalog:catalog"].TypeObject) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - if result != "Catalog" { - t.Errorf("expected %s, got %s", "Catalog", result) - } - }) - - t.Run("It returns an array complex type name given a schema array", func(t *testing.T) { - result, err := config.findSubType(*schema.Definitions["oscal-complete-oscal-catalog:catalog"].TypeObject.Properties["groups"].TypeObject) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - if result != "Group" { - t.Errorf("expected %s, got %s", "Group", result) - } - }) - - t.Run("It uses the the title to contain the type if no $ref or $id is present and adds to queue", func(t *testing.T) { - ref := "#/definitions/ConstraintTest" - found := false - result, err := config.findSubType(*schema.Definitions["oscal-complete-oscal-control-common:parameter-constraint"].TypeObject.Properties["tests"].TypeObject) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - if result != "ConstraintTest" { - t.Errorf("expected %s, got %s", "ConstraintTest", result) - } - for _, q := range config.refQueue.refs { - if q == ref { - found = true - } - } - if !found { - t.Errorf("expected %s to be in queue", ref) - } - if config.definitions[ref].Type == nil { - t.Errorf("expected %s to be in definitions", ref) - } - }) -} - -func TestBuildTypeString(t *testing.T) { - t.Parallel() - getSchemaByteMap(t) - - schema, err := buildSchema(schemaByteMap["oscal_complete_schema-1-1-1.json"]) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - definitions, err := getDefinitionMap(schema) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - config := GeneratorConfig{ - tags: []string{"json", "yaml"}, - definitions: definitions, - pkgName: "oscalTypes", - refQueue: NewRefQueue(), - nameMap: map[string]string{}, - } - - t.Run("It returns the associated primitive gotype when given a schema of a primitive type", func(t *testing.T) { - result, err := config.buildTypeString(*schema.Definitions["oscal-complete-oscal-catalog:catalog"].TypeObject.Properties["uuid"].TypeObject) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - if result != "string" { - t.Errorf("expected %s, got %s", "string", result) - } - - }) - - t.Run("It returns the first ref type when given a schema that implements allOf", func(t *testing.T) { - result, err := config.buildTypeString(*schema.Definitions["oscal-complete-oscal-control-common:parameter-selection"].TypeObject.Properties["how-many"].TypeObject) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - if result != "string" { - t.Errorf("expected %s, got %s", "string", result) - } - - }) - - t.Run("It returns the first ref type when given a schema that implements anyOf", func(t *testing.T) { - result, err := config.buildTypeString(*schema.Definitions["oscal-complete-oscal-metadata:link"].TypeObject.Properties["rel"].TypeObject) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - if result != "string" { - t.Errorf("expected %s, got %s", "string", result) - } - }) - - t.Run("It returns an array type in the format []type when given a schema that implements array", func(t *testing.T) { - result, err := config.buildTypeString(*schema.Definitions["oscal-complete-oscal-catalog:catalog"].TypeObject.Properties["groups"].TypeObject) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - if result != "[]Group" { - t.Errorf("expected %s, got %s", "[]Group", result) - } - }) - - t.Run("It returns the struct name of the object when given a schema that implements object", func(t *testing.T) { - result, err := config.buildTypeString(*schema.Definitions["oscal-complete-oscal-catalog:catalog"].TypeObject) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - if result != "Catalog" { - t.Errorf("expected %s, got %s", "Catalog", result) - } - }) -} - -func buildSchema(schemaBytes []byte) (jsonschema.Schema, error) { - schema := jsonschema.Schema{} - err := schema.UnmarshalJSON(schemaBytes) - if err != nil { - return jsonschema.Schema{}, err - } - return schema, nil -} - -func getSchemaByteMap(t *testing.T) { - schemaMutex.Lock() - defer schemaMutex.Unlock() - if len(schemaByteMap) == 0 { - dir, err := os.ReadDir(schemaPath) - if err != nil { - panic(err) - } - for _, file := range dir { - path := file.Name() - if !strings.Contains(path, ".json") { - continue - } - schemaBytes, err := os.ReadFile(schemaPath + path) - if err != nil { - t.Fatalf("expected no error, got %v", err) - } - schemaByteMap[path] = schemaBytes - } - } -} diff --git a/src/internal/generate/generate_utils.go b/src/internal/generate/generate_utils.go deleted file mode 100644 index 6ca639b7..00000000 --- a/src/internal/generate/generate_utils.go +++ /dev/null @@ -1,398 +0,0 @@ -package generate - -import ( - "fmt" - "regexp" - "strconv" - "strings" - "unicode" - - "github.com/swaggest/jsonschema-go" -) - -var Imports []string = []string{"time"} - -var GoPrimitive map[string]bool = map[string]bool{ - "string": true, - "bool": true, - "float64": true, - "int": true, -} - -var PrimitiveAndCustomTypes map[string]string = map[string]string{ - "string": "string", - "boolean": "bool", - "number": "float64", - "integer": "int", - "date-time": "time.Time", -} - -var ComplexTypes map[string]string = map[string]string{ - "array": "[]", -} - -var RefsToIgnore map[string]bool = map[string]bool{ - "#json-schema-directive": true, -} - -var KeysToIgnore map[string]bool = map[string]bool{ - "$schema": true, -} - -var Aliases map[string][]string = map[string][]string{ - "OscalCompleteSchema": {"OscalModels"}, -} - -const headerComment string = `/* - This file was auto-generated with go-oscal. - - To regenerate: - - go-oscal generate \ - --input-file \ - --output-file // the path to this file must already exist \ - --tags json,yaml // the tags to add to the Go structs \ - --pkg // defaults to "main" - - For more information on how to use go-oscal: go-oscal --help - - Source: https://github.com/defenseunicorns/go-oscal - */` - -// commonInitialisms is a set of common initialisms. -// Only add entries that are highly unlikely to be non-initialisms. -// For instance, "ID" is fine (Freudian code is rare), but "AND" is not. -var commonInitialisms = map[string]bool{ - "API": true, - "ASCII": true, - "CPU": true, - "CSS": true, - "DNS": true, - "EOF": true, - "GUID": true, - "HTML": true, - "HTTP": true, - "HTTPS": true, - "ID": true, - "IP": true, - "JSON": true, - "LHS": true, - "QPS": true, - "RAM": true, - "RHS": true, - "RPC": true, - "SLA": true, - "SMTP": true, - "SSH": true, - "TLS": true, - "TTL": true, - "UI": true, - "UID": true, - "UUID": true, - "URI": true, - "URL": true, - "UTF8": true, - "VM": true, - "XML": true, - "NTP": true, - "DB": true, -} - -var intToWordMap = []string{ - "zero", - "one", - "two", - "three", - "four", - "five", - "six", - "seven", - "eight", - "nine", -} - -// addPointerIfOptionalNonPrimitive adds a pointer to the type if the field is optional -func addPointerIfOptionalNonPrimitive(required bool, t string) string { - - if required || GoPrimitive[t] { - return t - } - return "*" + t -} - -// buildStructs builds the structs for each definition in the schema -func buildTagString(tags []string, field string, required bool) string { - tagStrings := []string{} - tagSuffix := ",omitempty" - - // No tags, return empty string - if len(tags) == 0 { - return "" - } - - // If required, remove omitempty - if required { - tagSuffix = "" - } - - // Build tag string for each tag - for _, tag := range tags { - tagStrings = append(tagStrings, fmt.Sprintf("%s:\"%s%s\"", tag, field, tagSuffix)) - } - return "`" + strings.Join(tagStrings, " ") + "`" -} - -// getRef builds a ref string from a schema -func getRef(schema jsonschema.Schema) (string, error) { - if schema.Ref != nil { - return *schema.Ref, nil - } else if schema.ID != nil { - return *schema.ID, nil - } else if schema.Title != nil { - return getRefWithName(getNameFromTitle(*schema.Title)), nil - } - return "", fmt.Errorf("unable to get ref from schema") -} - -func getNameFromTitle(title string) string { - split := strings.Split(title, " ") - name := "" - for _, s := range split { - name += FmtFieldName(s) - } - return name -} - -func getRefWithName(name string) string { - return "#/definitions/" + name -} - -// getCustomTypeKey returns the custom type key if the schema has a custom type -func getCustomTypeKey(schema jsonschema.Schema) string { - // If the schema has a format, check if it's a custom type - if schema.Format != nil { - if _, ok := PrimitiveAndCustomTypes[*schema.Format]; ok { - return *schema.Format - } - } - return "" -} - -// getJsonOrCustomType returns the json type of the schema -func getJsonOrCustomType(schema jsonschema.Schema) string { - // if the schema has a custom type, return the custom type - if importType := getCustomTypeKey(schema); importType != "" { - return importType - } - if schema.Type != nil { - return string(*schema.Type.SimpleTypes) - } - return "" -} - -// isPrimitiveOrCustomJsonType returns true if the type is a primitive type or a custom type -func isPrimitiveOrCustomJsonType(t string) bool { - lower := strings.ToLower(t) - return PrimitiveAndCustomTypes[lower] != "" -} - -// getGoType returns the Go type for a given JSON type -func getGoType(t string) string { - lower := strings.ToLower(t) - - if PrimitiveAndCustomTypes[lower] != "" { - return PrimitiveAndCustomTypes[lower] - } - - return ComplexTypes[lower] -} - -// populateSchema unmarshals the OSCAL JSON schema file into a jsonschema.Schema object -func populateSchema(oscalSchema []byte) (jsonschema.Schema, error) { - schema := jsonschema.Schema{} - err := schema.UnmarshalJSON(oscalSchema) - return schema, err -} - -// getNameFromRef returns the name of the struct from a ref -func getNameFromRef(ref string) string { - pattern := regexp.MustCompile("[/_]") - splitPathSeperator := pattern.Split(ref, -1) - splitFileExt := strings.Split(splitPathSeperator[len(splitPathSeperator)-1], ".") - return FmtFieldName(splitFileExt[0]) -} - -// getDefinitionMap generates a map of definitions from the OSCAL JSON schema file. -// The key is the $id or $ref, and the value is the schemaOrBool object. -func getDefinitionMap(schema jsonschema.Schema) (map[string]jsonschema.Schema, error) { - result := make(map[string]jsonschema.Schema) - for definition, item := range schema.Definitions { - typeObj := *item.TypeObject - - // If the object has no Parent, set the parent to the schema - if typeObj.Parent == nil { - typeObj.Parent = &schema - } - - // If the object has an ID, use that as the key, otherwise use the definition name - if typeObj.ID != nil { - result[*item.TypeObject.ID] = typeObj - } else { - result["#/definitions/"+definition] = typeObj - } - } - if len(result) == 0 { - return nil, fmt.Errorf("no definitions found in the OSCAL JSON schema file, please verify the OSCAL JSON schema file is valid") - } - return result, nil -} - -/* - FmtFieldName formats a string as a struct key - -Example: - - FmtFieldName("foo_id") - - Output: FooID -*/ -func FmtFieldName(s string) string { - runes := []rune(s) - for len(runes) > 0 && !unicode.IsLetter(runes[0]) && !unicode.IsDigit(runes[0]) { - runes = runes[1:] - } - if len(runes) == 0 { - return "_" - } - - s = stringifyFirstChar(string(runes)) - name := lintFieldName(s) - runes = []rune(name) - for i, c := range runes { - ok := unicode.IsLetter(c) || unicode.IsDigit(c) - if i == 0 { - ok = unicode.IsLetter(c) - } - if !ok { - runes[i] = '_' - } - } - s = string(runes) - s = strings.Trim(s, "_") - if len(s) == 0 { - return "_" - } - result := "" - for _, v := range strings.Split(s, "_") { - runes := []rune(v) - runes[0] = unicode.ToUpper(runes[0]) - result += string(runes) - } - return result -} - -func lintFieldName(name string) string { - // Fast path for simple cases: "_" and all lowercase. - if name == "_" { - return name - } - - allLower := true - for _, r := range name { - if !unicode.IsLower(r) { - allLower = false - break - } - } - if allLower { - runes := []rune(name) - if u := strings.ToUpper(name); commonInitialisms[u] { - copy(runes[0:], []rune(u)) - } else { - runes[0] = unicode.ToUpper(runes[0]) - } - return string(runes) - } - - allUpperWithUnderscore := true - for _, r := range name { - if !unicode.IsUpper(r) && r != '_' { - allUpperWithUnderscore = false - break - } - } - if allUpperWithUnderscore { - name = strings.ToLower(name) - } - - // Split camelCase at any lower->upper transition, and split on underscores. - // Check each word for common initialisms. - runes := []rune(name) - w, i := 0, 0 // index of start of word, scan - for i+1 <= len(runes) { - eow := false // whether we hit the end of a word - - if i+1 == len(runes) { - eow = true - } else if runes[i+1] == '_' { - // underscore; shift the remainder forward over any run of underscores - eow = true - n := 1 - for i+n+1 < len(runes) && runes[i+n+1] == '_' { - n++ - } - - // Leave at most one underscore if the underscore is between two digits - if i+n+1 < len(runes) && unicode.IsDigit(runes[i]) && unicode.IsDigit(runes[i+n+1]) { - n-- - } - - copy(runes[i+1:], runes[i+n+1:]) - runes = runes[:len(runes)-n] - } else if unicode.IsLower(runes[i]) && !unicode.IsLower(runes[i+1]) { - // lower -> non-lower - eow = true - } - i++ - if !eow { - continue - } - - // [w,i) is a word. - word := string(runes[w:i]) - if u := strings.ToUpper(word); commonInitialisms[u] { - // All the common initialisms are ASCII, - // so we can replace the bytes exactly. - copy(runes[w:], []rune(u)) - - } else if strings.ToLower(word) == word { - // already all lowercase, and not the first word, so uppercase the first character. - runes[w] = unicode.ToUpper(runes[w]) - } - w = i - } - return string(runes) -} - -// convert first character ints to strings -func stringifyFirstChar(str string) string { - first := str[:1] - - i, err := strconv.ParseInt(first, 10, 8) - - if err != nil { - return str - } - - return intToWordMap[i] + "_" + str[1:] -} - -// buildImportString returns a string of imports for the Go file -func buildImportString() string { - imports := "import (\n" - for _, imp := range Imports { - imports += fmt.Sprintf("\t\"%s\"\n", imp) - } - imports += ")\n" - return imports -} diff --git a/src/internal/generate/generate_utils_test.go b/src/internal/generate/generate_utils_test.go deleted file mode 100644 index 520574d2..00000000 --- a/src/internal/generate/generate_utils_test.go +++ /dev/null @@ -1,335 +0,0 @@ -package generate - -import ( - "testing" - - "github.com/swaggest/jsonschema-go" -) - -func TestAddPointerIfOptionalNonPrimitive(t *testing.T) { - t.Parallel() - - type TestCase struct { - required bool - in string - out string - } - - testCases := []TestCase{ - {required: false, in: "", out: "*"}, - {required: true, in: "", out: ""}, - {required: false, in: "string", out: "string"}, - } - - for _, testCase := range testCases { - actual := addPointerIfOptionalNonPrimitive(testCase.required, testCase.in) - expected := testCase.out - if expected != actual { - t.Fatalf("error addPointerIfOptional(): expected: %s | got: %s", expected, actual) - } - } -} - -func TestBuildTagString(t *testing.T) { - t.Parallel() - - t.Run("It returns a tag string given a list of tags and a field name", func(t *testing.T) { - t.Parallel() - expected := "`json:\"test,omitempty\" yaml:\"test,omitempty\"`" - actual := buildTagString([]string{"json", "yaml"}, "test", false) - if actual != expected { - t.Errorf("expected %s, got %s", expected, actual) - } - }) - - t.Run("It leaves out omitempty if the field is required", func(t *testing.T) { - t.Parallel() - expected := "`json:\"test\" yaml:\"test\"`" - result := buildTagString([]string{"json", "yaml"}, "test", true) - if result != expected { - t.Errorf("expected %s, got %s", expected, result) - } - }) -} - -func TestGetRef(t *testing.T) { - t.Parallel() - getSchemaByteMap(t) - - t.Run("It returns the ref if it exists", func(t *testing.T) { - t.Parallel() - schema, err := buildSchema(schemaByteMap["oscal_complete_schema-1-1-1.json"]) - if err != nil { - t.Fatalf("error building schema: %s", err) - } - schemaWithRef := schema.OneOf[0].TypeObject.Properties["catalog"].TypeObject - - expected := "#assembly_oscal-catalog_catalog" - - actual, err := getRef(*schemaWithRef) - if err != nil { - t.Errorf("expected no error, got %s", err) - } - - if actual != expected { - t.Errorf("expected %s, got %s", expected, actual) - } - }) - - t.Run("It returns the id if it exists", func(t *testing.T) { - t.Parallel() - schema, err := buildSchema(schemaByteMap["oscal_complete_schema-1-1-1.json"]) - if err != nil { - t.Fatalf("error building schema: %s", err) - } - schemaWitId := schema.Definitions["oscal-complete-oscal-catalog:catalog"].TypeObject - expected := "#assembly_oscal-catalog_catalog" - - actual, err := getRef(*schemaWitId) - if err != nil { - t.Errorf("expected no error, got %s", err) - } - - if actual != expected { - t.Errorf("expected %s, got %s", expected, actual) - } - }) - - t.Run("It builds a ref with the title if no id and no ref exist", func(t *testing.T) { - t.Parallel() - schema, err := buildSchema(schemaByteMap["oscal_complete_schema-1-1-1.json"]) - if err != nil { - t.Fatalf("error building schema: %s", err) - } - schemaWithNoIdOrRef := schema.Definitions["oscal-complete-oscal-control-common:parameter-constraint"].TypeObject.Properties["tests"].TypeObject.Items.SchemaOrBool.TypeObject - expected := "#/definitions/ConstraintTest" - - actual, err := getRef(*schemaWithNoIdOrRef) - if err != nil { - t.Errorf("expected no error, got %s", err) - } - - if actual != expected { - t.Errorf("expected %s, got %s", expected, actual) - } - }) - - t.Run("It returns an error if no ref, id, or title exist", func(t *testing.T) { - t.Parallel() - schema, err := buildSchema(schemaByteMap["oscal_complete_schema-1-1-1.json"]) - if err != nil { - t.Fatalf("error building schema: %s", err) - } - schemaWithNoIdOrRef := schema.Definitions["oscal-complete-oscal-control-common:parameter-constraint"].TypeObject.Properties["tests"].TypeObject.Items.SchemaOrBool.TypeObject - schemaWithNoIdOrRef.Title = nil - schemaWithNoIdOrRef.ID = nil - - _, err = getRef(*schemaWithNoIdOrRef) - - if err == nil { - t.Errorf("expected an error, got nil") - } - }) -} - -func TestGetJsonType(t *testing.T) { - t.Parallel() - getSchemaByteMap(t) - - schema, err := buildSchema(schemaByteMap["oscal_complete_schema-1-1-1.json"]) - if err != nil { - t.Fatalf("error building schema: %s", err) - } - - t.Run("It returns the json type if it exists", func(t *testing.T) { - t.Parallel() - schemaWithSimpleType := schema.Definitions["oscal-complete-oscal-catalog:catalog"].TypeObject - - expected := "object" - - actual := getJsonOrCustomType(*schemaWithSimpleType) - - if actual != expected { - t.Errorf("expected %s, got %s", expected, actual) - } - }) - - t.Run("It returns an empty string if there is no json type", func(t *testing.T) { - t.Parallel() - schemaWithNoSimpleType := schema.OneOf[0].TypeObject // This schema has no type - expected := "" - - actual := getJsonOrCustomType(*schemaWithNoSimpleType) - - if actual != expected { - t.Errorf("expected %s, got %s", expected, actual) - } - }) -} - -func TestIsPrimitiveJsonType(t *testing.T) { - t.Parallel() - - type TestCase struct { - in string - out bool - } - - testCases := []TestCase{ - {in: "string", out: true}, - {in: "boolean", out: true}, - {in: "number", out: true}, - {in: "integer", out: true}, - {in: "object", out: false}, - {in: "array", out: false}, - {in: "date-time", out: true}, - } - - for _, testCase := range testCases { - actual := isPrimitiveOrCustomJsonType(testCase.in) - expected := testCase.out - if expected != actual { - t.Errorf("error isPrimitiveJsonType(): expected: %t | got: %t", expected, actual) - } - } -} - -func TestGetGoType(t *testing.T) { - t.Parallel() - - type TestCase struct { - in string - out string - } - - testCases := []TestCase{ - {in: "string", out: "string"}, - {in: "boolean", out: "bool"}, - {in: "number", out: "float64"}, - {in: "integer", out: "int"}, - {in: "array", out: "[]"}, - {in: "object", out: ""}, - {in: "date-time", out: "time.Time"}, - } - - for _, testCase := range testCases { - actual := getGoType(testCase.in) - expected := testCase.out - if expected != actual { - t.Errorf("error getGoType(): expected: %s | got: %s", expected, actual) - } - } -} - -func TestGetNameFromRef(t *testing.T) { - t.Parallel() - - type TestCase struct { - in string - out string - } - - testCases := []TestCase{ - {in: "#/definitions/ConstraintTest", out: "ConstraintTest"}, - {in: "#assembly_oscal-catalog_catalog", out: "Catalog"}, - {in: "#assembly_oscal-control-common_parameter-guideline", out: "ParameterGuideline"}, - {in: "#http://csrc.nist.gov/ns/oscal/1.0/1.1.1/oscal-complete-schema.json", out: "OscalCompleteSchema"}, - } - - for _, testCase := range testCases { - actual := getNameFromRef(testCase.in) - expected := testCase.out - if expected != actual { - t.Fatalf("error getNameFromRef(): expected: %s | got: %s", expected, actual) - } - } -} - -func TestDefinitionMap(t *testing.T) { - t.Parallel() - getSchemaByteMap(t) - - schema, err := buildSchema(schemaByteMap["oscal_complete_schema-1-1-1.json"]) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - definitionMap, err := getDefinitionMap(schema) - if err != nil { - t.Errorf("expected no error, got %v", err) - } - - t.Run("It maps $id's to their respective definitions", func(t *testing.T) { - t.Parallel() - result, ok := definitionMap["#assembly_oscal-catalog_catalog"] - if !ok { - t.Errorf("expected a result, got nil") - } - if *result.ID != "#assembly_oscal-catalog_catalog" { - t.Errorf("expected %s, got %s", "#assembly_oscal-catalog_catalog", *result.ID) - } - }) - - t.Run("it maps definitions to a $ref pattern if no $id is present", func(t *testing.T) { - t.Parallel() - result, ok := definitionMap["#/definitions/TokenDatatype"] - if !ok { - t.Errorf("expected a result, got nil") - } - - if *result.Type.SimpleTypes != "string" { - t.Errorf("expected %s, got %v", "string", result.Type.SimpleTypes) - } - }) -} - -// TestFmtFieldName tests that we handle formatting a json string to a go struct correctly. -func TestFmtFieldName(t *testing.T) { - t.Parallel() - - type TestCase struct { - in string - out string - } - - testCases := []TestCase{ - {in: "foo_id", out: "FooID"}, - {in: "fooId", out: "FooID"}, - {in: "foo_url", out: "FooURL"}, - {in: "foobar", out: "Foobar"}, - {in: "url_sample", out: "URLSample"}, - {in: "_id", out: "ID"}, - {in: "__id", out: "ID"}, - } - - for _, testCase := range testCases { - actual := FmtFieldName(testCase.in) - expected := testCase.out - if expected != actual { - t.Fatalf("error FmtFieldName(): expected: %s | got: %s", expected, actual) - } - } -} - -func TestGetCustomTypeKey(t *testing.T) { - t.Parallel() - - type TestCase struct { - in string - out string - } - - testCases := []TestCase{ - {in: "uri", out: ""}, - {in: "date-time", out: "date-time"}, - } - - for _, testCase := range testCases { - schema := jsonschema.Schema{Format: &testCase.in} - actual := getCustomTypeKey(schema) - expected := testCase.out - if expected != actual { - t.Fatalf("error getImportKey(): expected: %s | got: %s", expected, actual) - } - } -} From c73790b0cda62063ec4474671a2e6503449f1ae2 Mon Sep 17 00:00:00 2001 From: "Cole (Mike) Winberry" Date: Wed, 11 Sep 2024 14:54:22 -0700 Subject: [PATCH 4/5] docs: updated docs to reflect generation changes --- Makefile | 10 +++--- README.md | 23 ++++++++++++-- docs/commands/generate.md | 8 ----- docs/generating-types.md | 56 +++++++++++++++++++++++++++++++++ docs/upgrading-oscal-version.md | 2 +- main.go | 1 + 6 files changed, 83 insertions(+), 17 deletions(-) delete mode 100644 docs/commands/generate.md create mode 100644 docs/generating-types.md diff --git a/Makefile b/Makefile index ef780c44..7b381ccd 100644 --- a/Makefile +++ b/Makefile @@ -46,7 +46,7 @@ SRC := $(shell find . -type f -name '*.go' -print) go.mod go.sum #////////////////////////////////////////////////////////////////////////////// # .PHONY: all -all: clean build test generate-compdef-stdout generate-ssp-stdout +all: clean build test generate .PHONY: help help: ## Show this help message. @@ -77,7 +77,7 @@ install: ## Install binary to $INSTALL_PATH. .PHONY: upgrade upgrade: ## Upgrade oscal schema version and generate new types and doctored schema. make doctor-latest-schema - make generate-latest-schema + make generate echo -e "---\noscal: v$(subst -,.,$(OSCAL_LATEST))" > update/oscal-version.yaml rm $(UNDOCTORED_SCHEMA) @@ -85,6 +85,6 @@ upgrade: ## Upgrade oscal schema version and generate new types and doctored sch doctor-latest-schema: clean build $(BINDIR)/$(BINNAME) doctor -f $(UNDOCTORED_SCHEMA) -o $(OSCAL_LATEST_SCHEMA) -.PHONY: generate-latest -generate-latest-schema: clean build - $(BINDIR)/$(BINNAME) generate -f $(OSCAL_LATEST_SCHEMA) --pkg $(OSCAL_LATEST_PACKAGE) --tags json,yaml -o $(OSCAL_LATEST_OUTPUT)/types.go \ No newline at end of file +.PHONY: generate +generate: + go generate \ No newline at end of file diff --git a/README.md b/README.md index 5d2c556d..91a48310 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![Go Report Card](https://goreportcard.com/badge/github.com/defenseunicorns/go-oscal)](https://goreportcard.com/report/github.com/defenseunicorns/go-oscal) [![License](https://img.shields.io/github/license/defenseunicorns/go-oscal)](https://github.com/defenseunicorns/go-oscal/blob/main/LICENSE) -go-oscal is a comprehensive Go library designed for interacting with the Open Security Controls Assessment Language (OSCAL). It offers robust support for OSCAL releases >=1.0.4, providing Go types that correspond to the latest OSCAL schemas. Notably, go-oscal offers more than just type definitions; it includes tooling for validating OSCAL documents against their respective OSCAL version schemas, facilitating the seamless transition of existing OSCAL documents to newer versions, and generating new OSCAL types as needed. Leveraging the OSCAL Complete Schema definition, go-oscal ensures that developers have access to the most up-to-date and accurate representations of OSCAL releases for their projects. +go-oscal is a comprehensive Go library designed for interacting with the Open Security Controls Assessment Language (OSCAL). It offers robust support for OSCAL releases >=1.0.4, providing Go types (using [quicktype](https://github.com/quicktype/quicktype)) that correspond to the latest OSCAL schemas. Notably, go-oscal offers more than just type definitions; it includes tooling for validating OSCAL documents against their respective OSCAL version schemas, facilitating the seamless transition of existing OSCAL documents to newer versions, and generating new OSCAL types as needed. Leveraging the OSCAL Complete Schema definition, go-oscal ensures that developers have access to the most up-to-date and accurate representations of OSCAL releases for their projects. ## Table Of Contents @@ -16,6 +16,8 @@ go-oscal is a comprehensive Go library designed for interacting with the Open Se - [Import](#import) - [Using Types](#using-types) - [Development](#development) + - [Generating Types](#generating-types) + - [Upgrading OSCAL Version](#upgrading-oscal-version) - [Additional Resources and Projects](#additional-resources-and-projects) ## Usage @@ -31,7 +33,6 @@ go build . - [validate](./docs/commands/validate.md) - [revise](./docs/commands/revise.md) - [doctor](./docs/commands/doctor.md) -- [generate](./docs/commands/generate.md) ### Import @@ -65,8 +66,24 @@ For development, the `Makefile` can be used to build, test, and generate the Go make test ``` +## Generating Types + +To [generate the types](./docs/generating-types.md), run the following command: + +```bash +make generate +``` + +## Upgrading OSCAL Version + +To [upgrade the OSCAL version](./docs/upgrading-oscal-version.md), run the following command: + +```bash +make upgrade OSCAL_LATEST=X-X-X UNDOCTORED_SCHEMA=path/to/undoctored-schema.json +``` + ## Additional Resources and Projects - [lula](https://github.com/defenseunicorns/lula) - [OSCAL](https://github.com/usnistgov/OSCAL) - [fedramp automation](https://github.com/GSA/fedramp-automation) -- [Awesome Oscal](https://github.com/oscal-club/awesome-oscal) \ No newline at end of file +- [Awesome Oscal](https://github.com/oscal-club/awesome-oscal) diff --git a/docs/commands/generate.md b/docs/commands/generate.md deleted file mode 100644 index 20d062e0..00000000 --- a/docs/commands/generate.md +++ /dev/null @@ -1,8 +0,0 @@ -# [INTERNAL] Generate Oscal Types -The `generate` command is used internally to generate and export the individual types from a given `oscal_complete_schema.json`. It is designed specifically for use with the complete json schema's provided by [NIST OSCAL](https://github.com/usnistgov/OSCAL/releases) releases. In order to ensure consistency of types by oscal release, it is not recommended that this command be used except in the generation of newly released oscal version. - -## Flags/Args -- `input-file` or `-f` is the filename of the OSCAL complete schema whose types should be generated. -- `output-file` or `-o` is the filename/path to write the generated oscal types to. -- `pkg` or `-p` is the package name for the generated types. -- `tags` or `-t` is the list of tags to be handled for marshalling and unmarshalling (default: json, yaml) \ No newline at end of file diff --git a/docs/generating-types.md b/docs/generating-types.md new file mode 100644 index 00000000..9336db34 --- /dev/null +++ b/docs/generating-types.md @@ -0,0 +1,56 @@ +# Generating OSCAL Types + +This project uses a custom script to generate Go types from OSCAL JSON schemas. The process is automated using the `go generate` command. + +## Prerequisites + +- Bash shell +- Node.js and npm (for running `npx quicktype`) +- Go installed on your system + +## Generation Process + +1. The type generation is triggered by running: + + ``` + go generate + ``` + + This command is defined in the `main.go` file: + + ```go + //go:generate ./hack/gen-types.sh + ``` + +2. The `gen-types.sh` script performs the following actions: + + - Reads JSON schema files from `src/internal/schemas` + - Generates Go types for each schema version using `quicktype` + - Outputs the generated types to `src/types/oscal-/types.go` + - Adds YAML and XML tags to the generated structs + +## Script Details + +The `hack/gen-types.sh` script: + +- Iterates through all `oscal_complete_schema-*.json` files in the `src/internal/schemas` directory +- Extracts the version number from each filename +- Creates an output directory for each version +- Uses `quicktype` to generate Go types from the JSON schema +- Adds YAML and XML tags to the generated structs using `sed` + +## Output + +The generated types are placed in `src/types/oscal-/types.go`, where `` is the OSCAL schema version (e.g., `1-0-0` for version 1.0.0). + +Each generated file contains a package named `oscalTypes_` and a top-level struct named `OscalModels`. + +## Updating Types + +To update the generated types: + +1. Ensure you have the latest OSCAL JSON schemas in `src/internal/schemas` +2. Run `go generate` in the project root directory + +This will regenerate all type files based on the current schemas. + diff --git a/docs/upgrading-oscal-version.md b/docs/upgrading-oscal-version.md index 30614c75..c20f32f9 100644 --- a/docs/upgrading-oscal-version.md +++ b/docs/upgrading-oscal-version.md @@ -4,5 +4,5 @@ ## Adding new Oscal version - download the most recent undoctored `oscal_complete_schema.json` file at https://github.com/usnistgov/OSCAL/releases - Run `make OSCAL_LATEST=X-X-X UNDOCTORED_SCHEMA=path/to/undoctored-schema.json upgrade` - - This will run build, [doctor](./commands/doctor.md) the schema, placing it in `src/internal/schemas`, and [generate](./commands/generate.md) the new types. + - This will run build, [doctor](./commands/doctor.md) the schema, placing it in `src/internal/schemas`, and [generate](./generating-types.md) the new types. - This will also ***DELETE*** the undoctored schema. \ No newline at end of file diff --git a/main.go b/main.go index 22ab62d6..a2539cb4 100644 --- a/main.go +++ b/main.go @@ -2,6 +2,7 @@ package main import "github.com/defenseunicorns/go-oscal/src/cmd" +//go:generate ./hack/gen-types.sh func main() { cmd.Execute() } From 821d56b22cd996e309ee407fd0b4acadcce54b53 Mon Sep 17 00:00:00 2001 From: "Cole (Mike) Winberry" Date: Wed, 11 Sep 2024 14:59:13 -0700 Subject: [PATCH 5/5] docs(generating-types): cleaned up redundant sections --- docs/generating-types.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docs/generating-types.md b/docs/generating-types.md index 9336db34..0dc36659 100644 --- a/docs/generating-types.md +++ b/docs/generating-types.md @@ -23,16 +23,6 @@ This project uses a custom script to generate Go types from OSCAL JSON schemas. ``` 2. The `gen-types.sh` script performs the following actions: - - - Reads JSON schema files from `src/internal/schemas` - - Generates Go types for each schema version using `quicktype` - - Outputs the generated types to `src/types/oscal-/types.go` - - Adds YAML and XML tags to the generated structs - -## Script Details - -The `hack/gen-types.sh` script: - - Iterates through all `oscal_complete_schema-*.json` files in the `src/internal/schemas` directory - Extracts the version number from each filename - Creates an output directory for each version