From 0432b0412a0b17c16646469eb481d0b972237a72 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Sun, 15 Dec 2024 17:45:14 -0500 Subject: [PATCH] Add common assessment constraint IDs for #2088 --- .../oscal_assessment-common_metaschema.xml | 77 ++++++++++--------- 1 file changed, 40 insertions(+), 37 deletions(-) diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index de8ae81fa4..ca3fb74104 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -62,16 +62,16 @@ - + **(deprecated)** Use 'assessment-objective' instead. **(deprecated)** Use 'assessment-method' instead. The part defines an assessment objective. The part defines an assessment method. - - - - + + + + @@ -159,7 +159,7 @@ - +

Since multiple party-uuid entries can be provided, each role-id must be referenced only once.

@@ -183,16 +183,16 @@ - + The assessment method to use. This typically appears on parts with the name "assessment". - - + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. - +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -213,7 +213,7 @@ Task Type The type of task. - + The task represents a planned milestone. The task represents a specific assessment action to be performed. @@ -271,7 +271,7 @@ Time Unit The unit of time for the period. - + The period is specified in seconds. The period is specified in minutes. The period is specified in hours. @@ -336,7 +336,7 @@ --> - +

Since responsible-role associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -526,8 +526,9 @@ Subject Type Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement. + - + The referenced assessment subject is a component defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results. The referenced assessment subject is a inventory item defined in the SSP, or in the local-definitions of an Assessment Plan or Assessment Results. The referenced assessment subject is a location defined in the metadata of the SSP, Assessment Plan, or Assessment Results. @@ -593,7 +594,8 @@ Subject Universally Unique Identifier Reference Type Used to indicate the type of object pointed to by the uuid-ref within a subject. - + + Component Inventory Item Location @@ -687,7 +689,7 @@ - +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -700,7 +702,7 @@ - +

Since multiple assessment component entries can be provided, each component must have a unique uuid.

@@ -717,7 +719,7 @@ Finding Target Type Identifies the type of the target. - + A reference to a control statement identifier within a control. A reference to a control objective identifier within a control. @@ -753,7 +755,7 @@ Objective Status State An indication as to whether the objective is satisfied or not. - + The objective has been completely satisfied. The objective has not been completely satisfied, but may be partially satisfied. @@ -763,7 +765,7 @@ Objective Status Reason The reason the objective was given it's status. - + The target system or system component satisfied all the conditions. The target system or system component did not satisfy all the conditions. Some other event took place that is not a pass or a fail. @@ -881,7 +883,7 @@ Identifies how the observation was made. - + An inspection was performed. An interview was performed. A manual or automated test was performed. @@ -895,7 +897,7 @@ Identifies the nature of the observation. More than one may be used to further qualify and enable filtering. - + A difference between the SSP implementation statement, and actual implementation. An observation about the status of a the associated control objective. A mitigating factor was identified. @@ -992,7 +994,7 @@ Actor Type The kind of actor. - + A reference to a tool component defined with the assessment assets. A reference to an assessment-platform defined with the assessment assets. A reference to a party defined within the document metadata. @@ -1068,7 +1070,7 @@ - +

Since responsible-party associates multiple party-uuid entries with a single role-id, each role-id must be referenced only once.

@@ -1086,7 +1088,7 @@ Threat Type Identification System Specifies the source of the threat information. - + **deprecated** The value conforms to FedRAMP definitions. This value has been deprecated; use http://fedramp.gov/ns/oscal instead. The value conforms to FedRAMP definitions. @@ -1272,10 +1274,10 @@ - + The type of remediation tracking entry. Can be multi-valued. - + Contacted vendor to determine the status of a pending fix to a known vulnerability. Information related to the current state of response to this risk. A significant step in the response plan has been achieved. @@ -1305,13 +1307,14 @@ - + + The risk has been confirmed to be a false positive. The risk has been accepted. No further action will be taken. The risk has been adjusted. A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority) - + @@ -1333,7 +1336,7 @@ Risk Status Describes the status of the associated risk. - + The risk has been identified. The identified risk is being investigated. (Open risk) Remediation activities are underway, but are not yet complete. (Open risk) @@ -1371,7 +1374,7 @@ Naming System Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash. - + **deprecated** The FedRAMP naming system. This has been deprecated; use http://fedramp.gov/ns/oscal instead. The facet naming system defined by FedRAMP. The facet naming system defined by OSCAL. @@ -1402,29 +1405,29 @@ - + Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value has be changed after some adjustments have been made (e.g., to identify residual risk). - + As first identified. Indicates that residual risk remains after some adjustments have been made. - + General likelihood rating. General impact rating. General risk rating. General severity rating. - + Likelihood as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. Impact as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. Risk as calculated according to FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. - + An identifier managed by the CVE program (see https://cve.mitre.org/). - + Base: Access Vector Base: Access Complexity Base: Authentication