diff --git a/docs/content/concepts/_index.md b/docs/content/concepts/_index.md index 3facc70ace..7bd51ad0c7 100644 --- a/docs/content/concepts/_index.md +++ b/docs/content/concepts/_index.md @@ -18,6 +18,7 @@ This section of the OSCAL website presents: - Key [terminology](terminology/) used in OSCAL; - An overview of the OSCAL [layers and models](layer/), to include who and what processes they apply to; +- An oververview of [identifier use](identifier-use) in OSCAL models; - A [processing specification](processing/) for handling some types of OSCAL content; - Illustrative [examples](examples/) of how to represent control implementation and risk management data in OSCAL XML, JSON, and YAML formats; and - A discussion of how OSCAL [relates](relations-to-other/) to and draws inspiration from other documentary standards. diff --git a/docs/content/concepts/identifier-use/_index.md b/docs/content/concepts/identifier-use/_index.md new file mode 100644 index 0000000000..25dd314d50 --- /dev/null +++ b/docs/content/concepts/identifier-use/_index.md @@ -0,0 +1,118 @@ +--- +title: Identifier Use +description: Provides details on the scope and uniqueness of identifiers used within the OSCAL models. +suppresstopiclist: true +weight: 50 +toc: + enabled: true +sidenav: + focusrenderdepth: 2 + activerenderdepth: 2 + inactiverenderdepth: 2 +--- + +This page reviews important concepts to be aware of when declaring or referencing identifiers in OSCAL models, with in-depth explanations of identifier uniqueness and scope. + +### **Identifier Type** +By design, OSCAL supports [*machine-oriented*](#machine-oriented) and [*human-oriented*](#human-oriented) identifiers. The OSCAL models dictate which are used for different data items. + +#### Machine-Oriented + +[*Machine-oriented*](#machine-oriented) identifiers provide a persistent identity for an entity within the OSCAL models, which can be used in other locations within related OSCAL models to reference the associated entity. + +These identifiers are intended to be auto-generated by tools when the entity is initially created. In OSCAL, a machine-oriented identifier is implemented using a Universally Unique Identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122). A UUID is represented in OSCAL using the [UUID datatype](/reference/datatypes/#uuid). +UUIDs were chosen because: +- Programming interfaces exist in most programming environments to generate a UUID +- UUIDs can be issued without a central authority +- UUIDs are represented in 128 bits, providing for a large address space with low risk of identifier collisions for randomly generated values + +The opaque nature of UUIDs, which consist of a series of hexadecimal characters, makes them less than ideal for wildcard matching scenarios. Thus, their use in OSCAL is intended for identification only where an exact match is required. Where wildcard matching is needed, the other data elements associated with the entity should be evaluated for a match instead. + +{{}}The opaque nature of UUIDs, which consist of a series of hexadecimal characters, makes them less than ideal for wildcard matching scenarios. Thus, their use in OSCAL is intended for identification only where an exact match is required. Where wildcard matching is needed, the other data elements associated with the entity should be evaluated for a match instead. {{}} + +The [OSCAL XML Reference Index](/reference/latest/complete/xml-index/#/@uuid) and [OSCAL JSON Reference Index](/reference/latest/complete/json-index/#/uuid) provide a listing of UUIDs in the core OSCAL models. References to these identifiers typically follow a naming convention of the object type followed by “-uuid”. For example, see the XML reference index for [location-uuid](/reference/latest/complete/xml-index/#/location-uuid) (or [location-uuids](/reference/latest/complete/json-index/#/uuid) in the JSON reference index). + +#### Human-Oriented + +A [*human-oriented*](#human-oriented) identifier incorporates semantic that support readability and processing by humans. OSCAL implements [*human-oriented*](#human-oriented) identifiers as [token](/reference/datatypes/#token) data types, which are non-colonized names. For example, control identifiers in a catalog may use a nomenclature that is familiar to the intended audience, allowing them to quickly determine what security control is being referred to, simply by its identifier value. + +The [OSCAL XML Reference Index](/reference/latest/complete/xml-index/#/@id) and [OSCAL JSON Reference Index](/reference/latest/complete/json-index/#/id) provide a comprehensive listing of the [*human-oriented*](#human-oriented) IDs in the core OSCAL models. References to these IDs are typically named according to the referenced object type (e.g., control) followed by “-id”, as seen here in the [XML Reference Index](/reference/latest/complete/xml-index/#/@control-id) (and likewise [JSON Reference Index](/reference/latest/complete/json-index/#/control-id) in the JSON reference index). + +### **Uniqueness** +OSCAL identifier uniqueness is categorized as *locally-unique* or *globally-unique*. As implied by the category name, [*locally-unique*](#locally-unique) identifiers must be unique within the current document, whereas [*globally-unique*](#globally-unique) identifiers are guaranteed to be unique across all other identifiers. OSCAL’s [*machine-oriented*](#machine-oriented) UUID identifiers are always [*globally-unique*](#globally-unique). [*Human-oriented*](#human-oriented) identifiers must be defined and managed organizationally and are more susceptible to identifier duplication or collisions. Thus, [*human-oriented*](#human-oriented) identifiers are less likely or cannot be guaranteed to be [*globally-unique*](#globally-unique). + +### **Scope** + +Identifiers that are only intended for use within the same OSCAL instance are categorized as *instance* scope. However, since OSCAL supports composition relationships, there are many cases where identifiers in a source OSCAL instance need to be referenced from other OSCAL instances. These are considered *cross-instance* scoped identifier references. The figure below illustrates how the core OSCAL models relationships are established through import and link mechanisms, enabling [*cross-instance*](#cross-instance) references. + +![A diagram depicting the relationships between OSCAL models. The solid black arrows depict relationships implemented via the import mechanism (e.g., import, import-profile, import-component-definition, import-ssp, and import-ap), whereas the dashed red line arrows illustrate relationships established through links.](oscal-model-relationships.svg) + +The following import types are supported: +- import - see [XML index](/reference/latest/complete/xml-index/#/import) or [JSON index](/reference/latest/complete/json-index/#/imports) +- import-component-definition - see [XML index](/reference/latest/complete/xml-index/#/import-component-definition) or [JSON index](/reference/latest/complete/json-index/#/import-component-definitions) +- import-profile - see [XML index](/reference/latest/complete/xml-index/#/import-profile) or [JSON index](/reference/latest/complete/json-index/#/import-profile) +- import-ssp - see [XML index](/reference/latest/complete/xml-index/#/import-ssp) or [JSON index](/reference/latest/complete/json-index/#/import-ssp) +- import-ap - see [XML index](/reference/latest/complete/xml-index/#/import-ap) or [JSON index](/reference/latest/complete/json-index/#/import-ap) + +When implementing [*cross-instance*](#cross-instance) references, identifier must be referenced in the context of the containing resource. The appropriate import attribute should be used (similar to a namespacing) to deconflict identifiers with the same values in the associated OSCAL instances. This is particularly important for [*human-oriented*](#human-oriented) identifiers that may not be globally unique but still require [*cross-instance*](#cross-instance) scoping. For example, this technique allows for the same control IDs to be used and referenced in a profile and its imported catalog(s) without conflict. + +The next section describes the identifier scoping per defining model. + +#### **Catalog Identifiers** +Identifiers defined in a catalog may be referenced locally or from an importing profile ([see the diagram in the Scope section](#scope)). Additionally, identifiers defined in a catalog may be referenced in other upstream OSCAL instances in a hierarchical set of associated OSCAL documents (e.g., SSPs, assessment plans, assessment results, and POA&Ms). The table below provides a listing of the core OSCAL catalog model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|Catalog|Machine-Oriented|[XML Index](/reference/latest/catalog/xml-index/#/@uuid) | [JSON Index](/reference/latest/catalog/json-index/#/uuid)| +|Catalog|Human-Oriented|[XML Index](/reference/latest/catalog/xml-index/#/@id) | [JSON Index](/reference/latest/catalog/json-index/#/id)| + +#### **Profile Identifiers** +Identifiers defined in a profile may be referenced locally or from an importing profile or SSP ([see the diagram in the Scope section](#scope)). Component definitions can reference these identifiers through its [control-implementation - source](/reference/latest/component-definition/xml-reference/#/component-definition/component/control-implementation/@source) reference to the profile. Other upstream OSCAL models, including assessment plans, assessment results, and POA&Ms can also reference these profile identifiers via the hierarchical set of associated OSCAL documents. The table below provides a listing of the core OSCAL profile model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|Profile|Machine-Oriented|[XML Index](/reference/latest/profile/xml-index/#/@uuid) | [JSON Index](/reference/latest/profile/json-index/#/uuid)| +|Profile|Human-Oriented|[XML Index](/reference/latest/profile/xml-index/#/@id) | [JSON Index](/reference/latest/profile/json-index/#/id)| + +#### **Component Definition Identifiers** +Identifiers defined in a component definition may be referenced locally or from an importing component definition instance ([see the diagram in the Scope section](#scope)). SSPs may also reference identifiers from a component definitions through its implementation of links for a given component.Other upstream OSCAL models, including assessment plans, assessment results, and POA&Ms can also reference these component definition indirectly (e.g., via reference to an SSP component that has a a link to a component definition). The table below provides a listing of the core OSCAL component definition model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|Component Definition|Machine-Oriented|[XML Index](/reference/latest/component-definition/xml-index/#/@uuid) | [JSON Index](/reference/latest/component-definition/json-index/#/uuid)| +|Component Definition|Human-Oriented|[XML Index](/reference/latest/component-definition/xml-index/#/@id) | [JSON Index](/reference/latest/component-definition/json-index/#/id)| + +#### **SSP Identifiers** +Identifiers defined in an SSP may be referenced locally or from an importing AP or POA&M ([see the diagram in the Scope section](#scope)). SSP identifiers can also be referenced from the AR through its hierarchical relationship with AP. The table below provides a listing of the core OSCAL SSP model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|SSP|Machine-Oriented|[XML Index](/reference/latest/system-security-plan/xml-index/#/@uuid) | [JSON Index](/reference/latest/system-security-plan/json-index/#/uuid)| +|SSP|Human-Oriented|[XML Index](/reference/latest/system-security-plan/xml-index/#/@id) | [JSON Index](/reference/latest/system-security-plan/json-index/#/id)| + +#### **AP Identifiers** +Identifiers defined in an AP may be referenced locally or from an importing AR ([see the diagram in the Scope section](#scope)). The table below provides a listing of the core OSCAL AP model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|AP|Machine-Oriented|[XML Index](/reference/latest/assessment-plan/xml-index/#/@uuid) | [JSON Index](/reference/latest/assessment-plan/json-index/#/uuid)| +|AP|Human-Oriented|[XML Index](/reference/latest/assessment-plan/xml-index/#/@id) | [JSON Index](/reference/latest/assessment-plan/json-index/#/id)| + +#### **AR Identifiers** +Identifiers defined in an AR may be referenced locally ([see the diagram in the Scope section](#scope)). However, observations, risks, and findings may also be referenced implicitly in the POA&M. The table below provides a listing of the core OSCAL AR model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|AR|Machine-Oriented|[XML Index](/reference/latest/assessment-results/xml-index/#/@uuid) | [JSON Index](/reference/latest/assessment-results/json-index/#/uuid)| +|AR|Human-Oriented|[XML Index](/reference/latest/assessment-results/xml-index/#/@id) | [JSON Index](/reference/latest/assessment-results/json-index/#/id)| + +#### **POA&M Identifiers** +Identifiers defined in a POA&M are only referenced locally ([see the diagram in the Scope section](#scope)). The table below provides a listing of the core OSCAL POA&M model identifiers. + +|**Defining Model**|**Identifier Type**|**Identifiers**| +|:------|:-------|:-----:| +|POA&M|Machine-Oriented|[XML Index](/reference/latest/plan-of-action-and-milestones/xml-index/#/@uuid) | [JSON Index](/reference/latest/plan-of-action-and-milestones/json-index/#/uuid)| +|POA&M|Human-Oriented|[XML Index](/reference/latest/plan-of-action-and-milestones/xml-index/#/@id) | [JSON Index](/reference/latest/plan-of-action-and-milestones/json-index/#/id)| + +### **Consistency** +Identifier (value) must be managed across revisions of the same document. In general, [OSCAL identifiers](/concepts/layer/overview/#identifier-use) have *per-subject* consistency. They should only be changed if the underlying identified subject has changed in a significant way that no longer represents the same identified subject. diff --git a/docs/content/concepts/identifier-use/oscal-model-relationships.svg b/docs/content/concepts/identifier-use/oscal-model-relationships.svg new file mode 100644 index 0000000000..5fa0fa4236 --- /dev/null +++ b/docs/content/concepts/identifier-use/oscal-model-relationships.svg @@ -0,0 +1,4 @@ + + + +
import-profile
import-profile
Catalog
Catalog
import
import
import
import
Profile
Profile
SSP
SSP
Component Definition
Component Def...
link
link
import-ssp
import-ssp
POAM
POAM
import-ap
import-ap
AR
AR
AP
AP
import-component-definition
import-component-definition
import-ssp
import-ssp
control implementation source
control implementation source
observations, risks, findings/poam items
observations, risks, findings/poam itemsText is not SVG - cannot display \ No newline at end of file diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index ed3b1d4d1f..84b3912c75 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -77,7 +77,8 @@ A local definition of a control objective. Uses catalog syntax for control objective and assessment activities. Assessment Method Universally Unique Identifier - Uniquely identifies this defined assessment method. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given assessment method across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -103,7 +104,8 @@ Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment. Assessment Activity Universally Unique Identifier - Uniquely identifies this assessment activity. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given included activity across revisions of the document. + + A machine-oriented, globally unique> identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -126,7 +128,8 @@ Step Universally Unique Identifier - Uniquely identifies a step. This UUID may be referenced elsewhere in an OSCAL document when referring to this step. A UUID should be consistently used for a given test step across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -204,7 +207,8 @@ Represents a scheduled event or milestone, which may be associated with a series of assessment actions. Task Universally Unique Identifier - Uniquely identifies this assessment task. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Task Type @@ -288,7 +292,8 @@ Task Universally Unique Identifier Reference - References a unique task by UUID. + + A machine-oriented identifier reference to a unique task. @@ -304,7 +309,8 @@ Activity Universally Unique Identifier Reference - References an activity defined in the list of activities. + + A machine-oriented identifier reference to an activity defined in the list of activities. @@ -350,6 +356,7 @@

Identifies the person or organization responsible for performing a specific role related to the task.

+ @@ -495,7 +502,8 @@ Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log. Assessment Subject Placeholder Universally Unique Identifier - Uniquely identifies a set of assessment subjects that will be identified by a task or an activity that is part of a task. + + A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -508,7 +516,8 @@ Task Universally Unique Identifier - Uniquely identifies an assessment activity to be performed as part of the event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -589,7 +598,8 @@ Subject Universally Unique Identifier Reference - A pointer to a component, inventory-item, location, party, user, or resource using it's UUID. + + A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID. @@ -609,7 +619,8 @@ Identifies the Subject - A pointer to a resource based on its universally unique identifier (UUID). Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. + + A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else. type @@ -653,7 +664,8 @@ Assessment Platform Universally Unique Identifier - Uniquely identifies this assessment Platform. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -672,7 +684,8 @@ Component Universally Unique Identifier Reference - A reference to a component that is implemented as part of an inventory item. + + A machine-oriented identifier reference to a component that is implemented as part of an inventory item. @@ -728,7 +741,8 @@ Finding Target Identifier Reference - Identifies the specific target qualified by the type. + + A machine-oriented identifier reference for a specific target qualified by the type. @@ -790,7 +804,8 @@ Describes an individual observation. Observation Universally Unique Identifier - Uniquely identifies this observation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given observation across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -930,7 +945,8 @@ Actor Universally Unique Identifier Reference - A pointer to the tool or person based on the associated type. + + A machine-oriented identifier reference to the tool or person based on the associated type. Actor Role @@ -951,7 +967,8 @@ Identifies an individual task for which the containing object is a consequence of. Task Universally Unique Identifier Reference - References a unique task by UUID. + + A machine-oriented identifier reference to a unique task. @@ -979,7 +996,8 @@ Assessment Subject Placeholder Universally Unique Identifier Reference - References a unique assessment subject placeholder defined by this task. + + A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task. @@ -1028,7 +1046,8 @@ An identified risk. Risk Universally Unique Identifier - Uniquely identifies this risk. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given risk across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -1085,11 +1104,13 @@ Mitigating Factor Universally Unique Identifier - Uniquely identifies this mitigating factor. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given mitigating factor across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Implementation UUID - Points to an implementation statement in the SSP. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -1130,7 +1151,8 @@ Risk Log Entry Universally Unique Identifier - Uniquely identifies a risk log entry. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -1170,7 +1192,8 @@ Response Universally Unique Identifier Reference - References a unique risk response by UUID. + + A machine-oriented identifier reference to a unique risk response. @@ -1218,7 +1241,8 @@ Observation Universally Unique Identifier Reference - References an observation defined in the list of observations. + + A machine-oriented identifier reference to an observation defined in the list of observations. @@ -1238,7 +1262,8 @@ Used to indicate who created a log entry in what role. Party UUID Reference - A pointer to the party who is making the log entry. + + A machine-oriented identifier reference to the party who is making the log entry. Actor Role @@ -1519,7 +1544,8 @@ Describes either recommended or an actual plan for addressing the risk. Remediation Universally Unique Identifier - Uniquely identifies this remediation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given remediation across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Remediation Intent @@ -1561,7 +1587,8 @@ Required Universally Unique Identifier - Uniquely identifies this required asset. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given required asset across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -1623,7 +1650,8 @@ Part Identifier - A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Part Name diff --git a/src/metaschema/oscal_assessment-plan_metaschema.xml b/src/metaschema/oscal_assessment-plan_metaschema.xml index 9bef67975c..24ee462070 100644 --- a/src/metaschema/oscal_assessment-plan_metaschema.xml +++ b/src/metaschema/oscal_assessment-plan_metaschema.xml @@ -20,7 +20,8 @@ assessment-plan Assessment Plan Universally Unique Identifier - Uniquely identifies this assessment plan. This UUID must be changed each time the content of the plan changes. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment plan in this or other OSCAL instances. The locally defined UUID of the assessment plan can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -118,6 +119,17 @@ + + diff --git a/src/metaschema/oscal_assessment-results_metaschema.xml b/src/metaschema/oscal_assessment-results_metaschema.xml index ebb24f1b5c..28ef12b224 100644 --- a/src/metaschema/oscal_assessment-results_metaschema.xml +++ b/src/metaschema/oscal_assessment-results_metaschema.xml @@ -22,7 +22,8 @@ assessment-results Assessment Results Universally Unique Identifier - Uniquely identifies this assessment results file. This UUID must be changed each time the content of the results changes. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment results instance in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -74,7 +75,8 @@ Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition. Results Universally Unique Identifier - Uniquely identifies this set of results. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given set of results across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this set of results in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -199,7 +201,8 @@ Assessment Log Entry Universally Unique Identifier - Uniquely identifies an assessment event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -259,7 +262,8 @@ Describes an individual finding. Finding Universally Unique Identifier - Uniquely identifies this finding. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given finding across revisions. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -290,7 +294,8 @@ Implementation Statement UUID - Identifies the implementation statement in the SSP to which this finding is related. + + A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related. @@ -299,7 +304,8 @@ Observation Universally Unique Identifier Reference - References an observation defined in the list of observations. + + A machine-oriented identifier reference to an observation defined in the list of observations. @@ -309,7 +315,8 @@ Risk Universally Unique Identifier Reference - References an risk defined in the list of risks. + + A machine-oriented identifier reference to a risk defined in the list of risks. diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index dd7743ca85..b89d40e74b 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -24,7 +24,7 @@ catalog Catalog Universally Unique Identifier - A globally unique identifier for this catalog instance. This UUID should be changed when this document is revised. + A globally unique identifier with cross-instance scope for this catalog instance. This UUID should be changed when this document is revised. @@ -65,7 +65,8 @@ Group Identifier - A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document. + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined group elsewhere in in this and other OSCAL instances (e.g., profiles). This id should be assigned per-subject, which means it should be consistently used to identify the same group across revisions of the document. Group Class @@ -130,7 +131,8 @@ Control Identifier - A unique identifier for a specific control instance that can be used to reference the control in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same control across minor revisions of the document. + + A human-oriented, locally unique identifier with instance scope that can be used to reference this control elsewhere in this and other OSCAL instances (e.g., profiles). This id should be assigned per-subject, which means it should be consistently used to identify the same control across revisions of the document. Control Class diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml index 7a9fe80aec..fb97e12319 100644 --- a/src/metaschema/oscal_component_metaschema.xml +++ b/src/metaschema/oscal_component_metaschema.xml @@ -33,7 +33,8 @@ component-definition Component Definition Universally Unique Identifier - A globally unique identifier for this component definition instance. This UUID should be changed when this document is revised. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component definition elsewhere in this or other OSCAL instances. The locally defined UUID of the component definition can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -79,7 +80,8 @@ A defined component that can be part of an implemented system. Component Identifier - The unique identifier for the component. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. type @@ -249,7 +251,8 @@ A grouping of other components and/or capabilities. Capability Identifier - A unique identifier for a capability. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this capability elsewhere in this or other OSCAL instances. The locally defined UUID of the capability can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Capability Name @@ -289,7 +292,8 @@ TBD Component Reference - A reference to a component by its identifier + + A machine-oriented identifier reference to a component. @@ -304,7 +308,8 @@ Defines how the component or capability supports a set of controls. Control Implementation Set Identifier - A unique identifier for the set of implemented controls. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a set of implemented controls elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation set can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -346,7 +351,8 @@ Describes how the containing component or capability implements an individual control. Control Implementation Identifier - A unique identifier for a specific control implementation. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference a specific control implementation elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -402,7 +408,8 @@ Control Statement Reference Universally Unique Identifier - A globally unique identifier that can be used to reference this control statement entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index dc03e9e7da..931dddae7d 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -20,9 +20,10 @@ Part A partition of a control's definition or a child of another part. - + Part Identifier - A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document. + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined part elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Part Name @@ -120,9 +121,10 @@ param - + Parameter Identifier - A unique identifier for a specific parameter instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same parameter across minor revisions of the document. + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -264,6 +266,7 @@ Control Identifier Reference - A reference to a control with a corresponding id value. + + A human-oriented identifier reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml index 6829307fef..40dedfef70 100644 --- a/src/metaschema/oscal_implementation-common_metaschema.xml +++ b/src/metaschema/oscal_implementation-common_metaschema.xml @@ -30,7 +30,8 @@ A defined component that can be part of an implemented system. Component Identifier - The unique identifier for the component. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -249,7 +250,8 @@ Information about the protocol used to provide a service. Service Protocol Information Universally Unique Identifier - A globally unique identifier that can be used to reference this service protocol entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Protocol Name @@ -337,7 +339,8 @@ A type of user that interacts with the system based on an associated role. User Universally Unique Identifier - The unique identifier for the user class. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -422,7 +425,8 @@ --> Inventory Item Universally Unique Identifier - A globally unique identifier that can be used to reference this inventory item entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. + A machine-oriented identifier reference to a component that is implemented as part of an inventory item. @@ -631,7 +636,8 @@ --> Control Statement Reference - A reference to a control statement by its identifier + + A human-oriented identifier reference to a control statement. Set Parameter Value @@ -653,11 +659,12 @@ System Identification - A unique identifier for the system described by this system security plan. + + A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document. id Identification System Type - Identifies the identification system from which the provided identifier was assigned. + Identifies the identification system from which the provided identifier was assigned. The identifier was assigned by FedRAMP. @@ -671,7 +678,8 @@ Parameter ID - A reference to a parameter within a control, who's catalog has been imported into the current implementation context. + + A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context. System ISSO diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index f20a00a3db..2487f072a9 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -156,7 +156,8 @@ A location, with associated metadata that can be referenced. Location Universally Unique Identifier - A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined location elsewhere in this or other OSCAL instances. The locally defined UUID of the location can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -212,7 +213,8 @@ Location Reference - References a location defined in metadata. + + A machine-oriented identifier reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). @@ -225,7 +227,8 @@ Location Reference - References a location defined in metadata. + + A machine-oriented identifier reference to a location defined in the metadata section of this or another OSCAL instance. The UUID of the location in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). @@ -233,6 +236,9 @@ + +

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

+ @@ -240,7 +246,8 @@ A responsible entity which is either a person or an organization. Party Universally Unique Identifier - A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given party across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined party elsewhere in this or other OSCAL instances. The locally defined UUID of the party can be used to reference the data item locally or globally (e.g., from an importing OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Party Type @@ -310,7 +317,9 @@ Organizational Affiliation - Identifies that the party object is a member of the organization associated with the provided UUID. + + A machine-oriented identifier reference to another party (person or organization) that this subject is associated with. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). + @@ -318,8 +327,7 @@ -

Parties of both the person or organization type can be associated with an organization using the member-of-organization. -

+

Parties of both the person or organization type can be associated with an organization using the member-of-organization.

 @@ -335,7 +343,8 @@ Party Reference - References a party defined in metadata. + + A machine-oriented identifier reference to another party defined in metadata. The UUID of the party in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). @@ -343,6 +352,9 @@ + +

See the Concepts - Identifier Use page for additional information about the referenced identifier's scope.

+ @@ -350,11 +362,8 @@ Defines a function assumed or expected to be assumed by a party in a specific situation. - Role Identifier - A unique identifier for a specific role instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document. - -

OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.

- + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined role elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, the locally defined ID of the Role from the imported OSCAL instance must be referenced in the context of the containing resource (e.g., import, import-component-definition, import-profile, import-ssp or import-ap). This ID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -380,12 +389,14 @@

Permissible values to be determined closer to the application (e.g. by a receiving authority).

- +

OSCAL has defined a set of standardized roles for consistent use in OSCAL documents. This allows tools consuming OSCAL content to infer specific semantics when these roles are used. These roles are documented in the specific contexts of their use (e.g., responsible-party, responsible-role). When using such a role, it is necessary to define these roles in this list, which will then allow such a role to be referenced.

+ Role Identifier Reference - A reference to the roles served by the user. + + A human-oriented identifier reference to roles served by the user. @@ -407,7 +418,8 @@ Resource Universally Unique Identifier - A globally unique identifier that can be used to reference this defined resource elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined resource elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -600,7 +612,8 @@ Property Universally Unique Identifier - A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this defined property elsewhere in this or other OSCAL instances. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -704,7 +717,8 @@ A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object. Responsible Role - The role that the party is responsible for. + + A human-oriented identifier reference to roles served by the user. @@ -736,7 +750,8 @@ A reference to one or more roles with responsibility for performing a function relative to the containing object. Responsible Role ID - The role that is responsible for the business function. + + A human-oriented identifier reference to roles responsible for the business function. @@ -914,7 +929,8 @@ Document Identifier - A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element. + + A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier with a cross-instance scope that is used for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of "document-id" is equal to the value of the "uuid" flag of the top-level root element. identifier diff --git a/src/metaschema/oscal_poam_metaschema.xml b/src/metaschema/oscal_poam_metaschema.xml index bce14bc6be..65936c509d 100644 --- a/src/metaschema/oscal_poam_metaschema.xml +++ b/src/metaschema/oscal_poam_metaschema.xml @@ -23,7 +23,8 @@ plan-of-action-and-milestones POA&M Universally Unique Identifier - Uniquely identifies this POA&M. This UUID must be changed each time the content of the POA&M changes. + + A machine-oriented, globally unique identifier with instancescope that can be used to reference this POA&M instance in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -88,7 +89,8 @@ Describes an individual POA&M item. POA&M Item Universally Unique Identifier - Uniquely identifies the POA&M entry. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given POA&M item across revisions of the document. + + A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -132,7 +134,8 @@ Observation Universally Unique Identifier Reference - References an observation defined in the list of observations. + + A machine-oriented identifier reference to an observation defined in the list of observations. @@ -143,7 +146,8 @@ Risk Universally Unique Identifier Reference - References an risk defined in the list of risks. + + A machine-oriented identifier reference to a risk defined in the list of risks. diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index 0701c611ab..18e2aad3ce 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -22,8 +22,9 @@ Each OSCAL profile is defined by a Profile element profile - Catalog Universally Unique Identifier - A globally unique identifier for this profile instance. This UUID should be changed when this document is revised. + Profile Universally Unique Identifier + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this profile elsewhere in this or other OSCAL instances. The locally defined UUID of the profile can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This identifier should be assigned per-subject, which means it should be consistently used to identify the same profile across revisions of the document. @@ -36,6 +37,7 @@

An OSCAL document that describes a tailoring of controls from one or more catalogs, with possible modification of multiple controls. It provides mechanisms by which controls may be selected (import), merged or (re)structured (merge), and amended (modify). OSCAL profiles may select subsets of controls, set parameter values for them in application, and even adjust the representation of controls as given in and by a catalog. They may also serve as sources for further modification in and by other profiles, that import them.

+

See the Concepts - Identifier Use page for additional information regarding this identifier's uniqueness and scope.

 @@ -145,7 +147,8 @@ Group Identifier - A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document. + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined group elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same group across revisions of the document. Group Class @@ -196,7 +199,8 @@ Parameter ID - Indicates the value of the 'id' flag on a target parameter; i.e. which parameter to set + + A human-oriented, locally unique identifier with cross-instance scope that can be used to reference this defined parameter elsewhere in this or other OSCAL instances. When referenced from another OSCAL instance, this identifier must be referenced in the context of the containing resource (e.g., import-profile). This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. Parameter Class diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml index 295356ec2e..cb5a6a65c5 100644 --- a/src/metaschema/oscal_ssp_metaschema.xml +++ b/src/metaschema/oscal_ssp_metaschema.xml @@ -34,7 +34,8 @@ system-security-plan System Security Plan Universally Unique Identifier - A globally unique identifier for this catalog instance. This UUID should be changed when this document is revised. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. The locally defined UUID of the SSP can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -190,7 +191,8 @@ Information Type Universally Unique Identifier - A globally unique identifier that can be used to reference this information type entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -220,7 +222,8 @@ Information Type Systematized Identifier - An identifier qualified by the given identification system used, such as NIST SP 800-60. + + A human-oriented, globally unique identifier qualified by the given identification system used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. id @@ -409,7 +412,8 @@ A graphic that provides a visual representation the system, or some aspect of it. Diagram ID - The identifier for this diagram. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -539,7 +543,8 @@ Leveraged Authorization Universally Unique Identifier - A globally unique identifier that can be used to reference this leveraged authorization entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -554,7 +559,8 @@ party-uuid field - A reference to the party that manages the leveraged system. + + A machine-oriented identifier reference to the party that manages the leveraged system. @@ -683,7 +689,8 @@ Describes how the system satisfies an individual control. Control Requirement Universally Unique Identifier - A globally unique identifier that can be used to reference this control requirement entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -773,7 +780,8 @@ Control Statement Reference Universally Unique Identifier - A globally unique identifier that can be used to reference this control statement entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance). @@ -815,11 +823,13 @@ Defines how the referenced component implements a set of controls. Component Universally Unique Identifier Reference - A reference to the component that is implementing a given control or control statement. + + A machine-oriented identifier reference to the component that is implemeting a given control. By-Component Universally Unique Identifier - A globally unique identifier that can be used to reference this by-component entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -862,7 +872,8 @@ Provided Universally Unique Identifier - A globally unique identifier that can be used to reference this provided entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -896,7 +907,8 @@ Responsibility Universally Unique Identifier - A globally unique identifier that can be used to reference this responsibility entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -947,7 +959,8 @@ Inherited Universally Unique Identifier - A globally unique identifier that can be used to reference this inherited entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -982,7 +995,8 @@ Satisfied Universally Unique Identifier - A globally unique identifier that can be used to reference this satisfied entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document. + + A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document. @@ -1033,11 +1047,13 @@ Provided UUID - Identifies a 'provided' assembly associated with this assembly. + + A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system. - Provided UUID - Identifies a 'provided' assembly associated with this assembly. + Responsibility UUID + + A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.