uuid
of the source profile from which the catalog was produced by profile resolution.uuid
of the profile from which the catalog was produced by profile resolution.Catalogs can use a group
to collect related controls into a single grouping. That can be useful to group controls into a family or other logical grouping.
A group
may have its own properties, statements, parameters, and references, which are inherited by all members of that group.
Catalogs can use the catalog group
construct to organize related controls into a single grouping, such as a family of controls or other logical organizational structure.
A group
may have its own properties, statements, parameters, and references, which are inherited by all controls of that are a member of the group.
The OSCAL Component Definition Model can be used to describe the implementation of controls in a component
or a set of components grouped as a capability
. A component can be either a technical component, or a documentary component. A technical component is a component that is implemented in hardware (physical or virtual) or software. A documentary component is a component implemented in a document, such as a process, procedure, or policy.
The root of the OSCAL Implementation Component format is component-definition
.
-
NOTE: This documentation is a work in progress. As a result, documentation for many of the information elements is missing or incomplete.
+The OSCAL Component Definition Model can be used to describe the implementation of controls in a component
or a set of components grouped as a capability
. A component can be either a technical component, or a documentary component.
A technical component is a component that is implemented in hardware (physical or virtual) or software. Suppliers may document components in an OSCAL component definition that describes the implementation of controls in their hardware and software.
+A documentary component is a component implemented for a documented process, procedure, or policy. Suppliers may document components in an OSCAL component definition that describes the implementation of controls in their process, procedure, or policy.
+The information provided by a technical or documentary component can be used by component consumers to provide starting narratives for documenting control implementations in an OSCAL SSP.
+The root of the OSCAL Implementation Layer Component Definition model is component-definition
.
component definition
can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.component
can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.capability
can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.A given component
must not be referenced more than once within the same capability
.
control implementation set
can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.control implementation
can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.Implemented requirements within a component or capability in a component definition provide a means to suggest possible control implementation details, which may be used by a different party when authoring a system security plan. Thus, these requirements defined in a component definition are only a suggestion of how to implement, which may be adopted wholesale, changed, or ignored by a person defining an information system implementation.
+Implemented requirements within a component or capability in a component definition provide a means for component suppliers to suggest possible control implementation details, which may be used by a different party (e.g., component consumers) when authoring a system security plan. Thus, these requirements defined in a component definition are only a suggestion of how to implement, which may be adopted wholesale, changed, or ignored by a person defining an information system implementation.
Use of set-parameter
in this context, sets the parameter for the referenced control and any associated statements.
In OSCAL a profile represents a baseline of selected controls from one or more control catalogs. An OSCAL profile is used in an OSCAL system security plan (SSP) to determine the baseline of controls that must be implemented by the information system. The effective set of controls is generated through profile resolution.
+In OSCAL a profile represents a baseline of selected controls from one or more control catalogs. An OSCAL profile is used in an OSCAL system security plan (SSP) to determine the baseline of controls that must be implemented by the information system. The effective set of controls is generated through profile resolution process.
In OSCAL a profile represents a set of selected controls from one or more control catalogs. Such a set of controls can be referenced by an OSCAL system security plan (SSP) to establish a control baseline. This effective set of controls is produced from an OSCAL profile using a deterministic, predictable process called profile resolution.
-A profile references one or more OSCAL catalogs or profiles to import controls from for control selection and tailoring. A profile can also describe how a resulting catalog is structured. When the profile is resolved, these selections and modifications are processed to produce a resulting OSCAL catalog.
+A profile references one or more OSCAL catalogs or profiles to import controls for control selection and tailoring. A profile can also describe how a resulting catalog is structured. When the profile is resolved, these selections and modifications are processed to produce a resulting OSCAL catalog.
OSCAL profiles have uses beyond establishing a baseline, such as documentation generation or as reference tables for validations.
profile
can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This identifier should be assigned per-subject, which means it should be consistently used to identify the same profile across revisions of the document.An OSCAL document that describes a tailoring of controls from one or more catalogs, with possible modification of multiple controls. It provides mechanisms by which controls may be selected (import
), merged or (re)structured (merge
), and amended (modify
). OSCAL profiles may select subsets of controls, set parameter values for them in application, and even adjust the representation of controls as given in and by a catalog. They may also serve as sources for further modification in and by other profiles, that import them.
See the Concepts - Identifier Use page for additional information regarding this identifier's uniqueness and scope.
import
designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline. This content may A profile must be based on an existing OSCAL catalog or another OSCAL profile. An import
indicates such a source whose controls are to be included (referenced and modified) in a profile. This source will either be a catalog whose controls are given (by value
), or a profile with its own control imports.
The contents of the import
element indicate which controls from the source will be included. Controls from the source catalog or profile may be either selected, using the include-all
or include-controls
directives, or de-selected (using an exclude-controls
directive).
class
.