oscal_assessment-common_metaschema.xml

<?xml version="1.0" encoding="UTF-8"?>
<METASCHEMA xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" abstract="yes">
   <schema-name>OSCAL Assessment Layer Format -- Common Modules</schema-name>
   <schema-version>1.1.2</schema-version>
   <short-name>oscal-assessment-common</short-name>
   <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
   <json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
   <remarks>
      <p>This contains all modules common to the assessment plan, assessment results, and POAM models. </p>
      <p>The root of the OSCAL Assessment Plan format is <code>assessment-plan</code>.</p>
      <p>The root of the OSCAL Assessment Results format is <code>assessment-results</code>.</p>
      <p>The root of the OSCAL Plan of Action and Milestones (POA&amp;M) format is <code>plan-of-action-and-milestones</code>.</p>
   </remarks>
   <!-- IMPORT STATEMENTS -->
   <import href="oscal_control-common_metaschema.xml"/>
   <import href="oscal_implementation-common_metaschema.xml"/>

   <!-- SSP Import -->
   <define-assembly name="import-ssp">
      <formal-name>Import System Security Plan</formal-name>
      <description>Used by the assessment plan and POA&amp;M to import information about the system.</description>
      <define-flag name="href" as-type="uri-reference" required="yes">
         <formal-name>System Security Plan Reference</formal-name>
         <description>A resolvable URL reference to the system security plan for the system being assessed.</description>
         <remarks>
            <p>This value may be one of:</p>
            <ol>
               <li>an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that points to a network resolvable resource,</li>
               <li>a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#relative-reference">relative reference</a> pointing to a network resolvable resource whose base URI is the URI of the containing document, or</li>
               <li>a bare URI fragment (i.e., `#uuid`) pointing to a <code>back-matter</code> resource in this or an imported document (see <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#linking-to-another-oscal-object">linking to another OSCAL object</a>).</li>
            </ol>
         </remarks>
      </define-flag>

      <model>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
   </define-assembly>

   <define-assembly name="local-objective">
      <formal-name>Assessment-Specific Control Objective</formal-name>
      <description>A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.</description>
      <flag ref="control-id" required="yes">
         <remarks>
            <p>The specified <code>control-id</code> must be a valid value within the baseline identified by the target system's SSP via the <code>import-profile</code> statement.</p>
         </remarks>
      </flag>
      <model>
         <define-field name="description" min-occurs="0" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
            <formal-name>Objective Description</formal-name>
            <description>A human-readable description of this control objective.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <assembly ref="part" min-occurs="1" max-occurs="unbounded">
            <group-as name="parts" in-json="ARRAY" />
         </assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
      <constraint>
         <allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
            <enum value="objective" deprecated="1.0.1">**(deprecated)** Use 'assessment-objective' instead.</enum>
            <enum value="assessment" deprecated="1.0.1">**(deprecated)** Use 'assessment-method' instead.</enum>
            <enum value="assessment-objective">The part defines an assessment objective.</enum>
            <enum value="assessment-method">The part defines an assessment method.</enum>
         </allowed-values>
         <has-cardinality target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')]" max-occurs="1" />
         <has-cardinality target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf')) and @name='method']" min-occurs="1" max-occurs="1" />
         <has-cardinality target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]/part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objects','assessment-objects')]" min-occurs="1" max-occurs="1" />
         <has-cardinality target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('objective','assessment-objective')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method-id']" min-occurs="1" />
      </constraint>
   </define-assembly>
   <define-assembly name="assessment-method">
      <formal-name>Assessment Method</formal-name>
      <description>A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.</description>
      <define-flag name="uuid" required="yes" as-type="uuid">
         <formal-name>Assessment Method Universally Unique Identifier</formal-name>
         <!-- Identifier Declaration -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this assessment method elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>assessment method</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
      </define-flag>
      <model>
         <define-field name="description" min-occurs="0" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
            <formal-name>Assessment Method Description</formal-name>
            <description>A human-readable description of this assessment method.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <assembly ref="assessment-part" min-occurs="1" max-occurs="1"/>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
   </define-assembly>

   <define-assembly name="activity">
      <formal-name>Activity</formal-name>
      <description>Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.</description>
      <define-flag name="uuid" required="yes" as-type="uuid">
         <formal-name>Assessment Activity Universally Unique Identifier</formal-name>
         <!-- Identifier Declaration -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this assessment activity elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>activity</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
      </define-flag>
      <model>
         <define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line">
            <formal-name>Included Activity Title</formal-name>
            <description>The title for this included activity.</description>
         </define-field>
         <define-field name="description" min-occurs="1" max-occurs="1" as-type="markup-multiline" in-xml="WITH_WRAPPER">
            <formal-name>Included Activity Description</formal-name>
            <description>A human-readable description of this included activity.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <define-assembly name="step" min-occurs="0" max-occurs="unbounded">
            <formal-name>Step</formal-name>
            <description>Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.</description>
            <group-as name="steps" in-json="ARRAY"/>
            <define-flag name="uuid" required="yes" as-type="uuid">
               <formal-name>Step Universally Unique Identifier</formal-name>
               <!-- Identifier Declaration -->
               <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this step elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>step</code> (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
            </define-flag>
            <model>
               <define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line">
                  <formal-name>Step Title</formal-name>
                  <description>The title for this step.</description>
               </define-field>
               <define-field name="description" min-occurs="1" max-occurs="1" as-type="markup-multiline" in-xml="WITH_WRAPPER">
                  <formal-name>Step Description</formal-name>
                  <description>A human-readable description of this step.</description>
               </define-field>
               <assembly ref="property" max-occurs="unbounded">
                  <group-as name="props" in-json="ARRAY"/>
               </assembly>
               <assembly ref="link" max-occurs="unbounded">
                  <group-as name="links" in-json="ARRAY"/>
               </assembly>
               <assembly ref="reviewed-controls">
                  <remarks>
                     <p>This can be optionally used to define the set of controls and control objectives that are assessed by this step.</p>
                  </remarks>
               </assembly>
               <assembly ref="responsible-role" max-occurs="unbounded">
                  <group-as name="responsible-roles" in-json="ARRAY"/>
                  <remarks>
                     <p>Identifies the roles, and optionally the parties, associated with this step that is part of an assessment activity.</p>
                  </remarks>
               </assembly>
               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
            </model>
            <constraint>
               <is-unique id="unique-step-responsible-role" target="responsible-role">
                  <key-field target="@role-id"/>
                  <remarks>
                     <p>Since multiple <code>party-uuid</code> entries can be provided, each role-id must be referenced only once.</p>
                  </remarks>
               </is-unique>
            </constraint>
         </define-assembly>
         <assembly ref="reviewed-controls">
            <use-name>related-controls</use-name>
            <remarks>
               <p>This can be optionally used to define the set of controls and control objectives that are assessed or remediated by this activity.</p>
            </remarks>
         </assembly>
         <assembly ref="responsible-role" max-occurs="unbounded">
            <group-as name="responsible-roles" in-json="ARRAY"/>
            <remarks>
               <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
            </remarks>
         </assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
      <constraint>
         <!-- TODO: Dave to double-check constraints here -->
         <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
            <enum value="method">The assessment method to use. This typically appears on parts with the name "assessment".</enum>
         </allowed-values>
         <has-cardinality target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']" min-occurs="1"/>
         <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']/@value">
            <enum value="INTERVIEW">The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.</enum>
            <enum value="EXAMINE">The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).</enum>
            <enum value="TEST">The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.</enum>
         </allowed-values>
         <is-unique id="unique-activity-responsible-role" target="responsible-role">
            <key-field target="@role-id"/>
            <remarks>
               <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
            </remarks>
         </is-unique>
      </constraint>
   </define-assembly>

   <define-assembly name="task">
      <formal-name>Task</formal-name>
      <description>Represents a scheduled event or milestone, which may be associated with a series of assessment actions.</description>
      <define-flag name="uuid" required="yes" as-type="uuid">
         <formal-name>Task Universally Unique Identifier</formal-name>
         <!-- Identifier Declaration -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this task elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>task</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
      </define-flag>
      <define-flag name="type" required="yes" as-type="token">
         <formal-name>Task Type</formal-name>
         <description>The type of task.</description>
         <constraint>
            <allowed-values allow-other="yes">
               <enum value="milestone">The task represents a planned milestone.</enum>
               <enum value="action">The task represents a specific assessment action to be performed.</enum>
            </allowed-values>
         </constraint>
      </define-flag>

      <model>
         <define-field name="title" min-occurs="1" as-type="markup-line">
            <formal-name>Task Title</formal-name>
            <description>The title for this task.</description>
         </define-field>
         <define-field name="description" max-occurs="1" as-type="markup-multiline" in-xml="WITH_WRAPPER">
            <formal-name>Task Description</formal-name>
            <description>A human-readable description of this task.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <define-assembly name="timing">
            <formal-name>Event Timing</formal-name>
            <description>The timing under which the task is intended to occur.</description>
            <model>
               <choice>
                  <define-assembly name="on-date" min-occurs="1">
                     <formal-name>On Date Condition</formal-name>
                     <description>The task is intended to occur on the specified date.</description>
                     <define-flag name="date" as-type="dateTime-with-timezone" required="yes">
                        <formal-name>On Date Condition</formal-name>
                        <description>The task must occur on the specified date.</description>
                     </define-flag>
                  </define-assembly>
                  <define-assembly name="within-date-range" min-occurs="1">
                     <formal-name>On Date Range Condition</formal-name>
                     <description>The task is intended to occur within the specified date range.</description>
                     <define-flag name="start" as-type="dateTime-with-timezone" required="yes">
                        <formal-name>Start Date Condition</formal-name>
                        <description>The task must occur on or after the specified date.</description>
                     </define-flag>
                     <define-flag name="end" as-type="dateTime-with-timezone" required="yes">
                        <formal-name>End Date Condition</formal-name>
                        <description>The task must occur on or before the specified date.</description>
                     </define-flag>
                  </define-assembly>
                  <define-assembly name="at-frequency" min-occurs="1">
                     <formal-name>Frequency Condition</formal-name>
                     <description>The task is intended to occur at the specified frequency.</description>
                     <define-flag name="period" as-type="positiveInteger" required="yes">
                        <formal-name>Period</formal-name>
                        <description>The task must occur after the specified period has elapsed.</description>
                     </define-flag>
                     <define-flag name="unit" as-type="string" required="yes">
                        <formal-name>Time Unit</formal-name>
                        <description>The unit of time for the period.</description>
                        <constraint>
                           <allowed-values>
                              <enum value="seconds">The period is specified in seconds.</enum>
                              <enum value="minutes">The period is specified in minutes.</enum>
                              <enum value="hours">The period is specified in hours.</enum>
                              <enum value="days">The period is specified in days.</enum>
                              <enum value="months">The period is specified in calendar months.</enum>
                              <enum value="years">The period is specified in calendar years.</enum>
                           </allowed-values>
                        </constraint>
                     </define-flag>
                  </define-assembly>
               </choice>
            </model>
         </define-assembly>
         <define-assembly name="dependency" max-occurs="unbounded">
            <formal-name>Task Dependency</formal-name>
            <description>Used to indicate that a task is dependent on another task.</description>
            <group-as name="dependencies" in-json="ARRAY"/>
            <define-flag name="task-uuid" required="yes" as-type="uuid">
               <formal-name>Task Universally Unique Identifier Reference</formal-name>
               <!-- Identifier Reference -->
               <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a unique task.</description>
            </define-flag>
            <model>
               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
            </model>
         </define-assembly>
         <assembly ref="task" min-occurs="0" max-occurs="unbounded">
            <group-as name="tasks" in-json="ARRAY"/>
         </assembly>

         <define-assembly name="associated-activity" min-occurs="0" max-occurs="unbounded">
            <formal-name>Associated Activity</formal-name>
            <description>Identifies an individual activity to be performed as part of a task.</description>
            <group-as name="associated-activities" in-json="ARRAY"/>
            <define-flag name="activity-uuid" required="yes" as-type="uuid">
               <formal-name>Activity Universally Unique Identifier Reference</formal-name>
               <!-- Identifier Reference -->
               <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to an activity defined in the list of activities.</description>
            </define-flag>
            <model>
               <assembly ref="property" max-occurs="unbounded">
                  <group-as name="props" in-json="ARRAY"/>
               </assembly>
               <assembly ref="link" max-occurs="unbounded">
                  <group-as name="links" in-json="ARRAY"/>
               </assembly>
               <assembly ref="responsible-role" max-occurs="unbounded">
                  <group-as name="responsible-roles" in-json="ARRAY"/>
                  <remarks>
                     <p>Identifies the person or organization responsible for performing a specific role defined by the activity.</p>
                  </remarks>
               </assembly>
<!--               <choice>
-->                  <assembly ref="assessment-subject" min-occurs="1" max-occurs="unbounded">
                     <use-name>subject</use-name>
                     <group-as name="subjects" in-json="ARRAY"/>
                  </assembly>
<!--                  <assembly ref="assessment-subject-placeholder">
                     <use-name>subject-placeholder</use-name>
                  </assembly>
               </choice>
-->               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
            </model>
            <constraint>
               <is-unique id="unique-associated-activity-responsible-role" target="responsible-role">
                  <key-field target="@role-id"/>
                  <remarks>
                     <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
                  </remarks>
               </is-unique>
            </constraint>
         </define-assembly>
         <assembly ref="assessment-subject" max-occurs="unbounded">
            <use-name>subject</use-name>
            <group-as name="subjects" in-json="ARRAY"/>
            <remarks>
               <p>The assessment subjects that the activity was performed against.</p>
            </remarks>
         </assembly>
         <assembly ref="responsible-role" max-occurs="unbounded">
            <group-as name="responsible-roles" in-json="ARRAY"/>
            <remarks>
               <p>Identifies the person or organization responsible for performing a specific role related to the task.</p>
               <!-- todo: role id and party id scope is defined at the document level.  Refer to root object within which the data is declared for...mention resolved through imports.  Note: wh-->
            </remarks>
         </assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
   </define-assembly>

   <!-- ********** OBJECTIVES Assembly ********** -->
   <define-assembly name="reviewed-controls">
      <formal-name>Reviewed Controls and Control Objectives</formal-name>
      <description>Identifies the controls being assessed and their control objectives.</description>
      <model>
         <define-field name="description" min-occurs="0" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
            <formal-name>Control Objective Description</formal-name>
            <description>A human-readable description of control objectives.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>

         <define-assembly name="control-selection" min-occurs="1" max-occurs="unbounded">
            <formal-name>Assessed Controls</formal-name>
            <description>Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.</description>
            <group-as name="control-selections" in-json="ARRAY"/>
            <model>
               <define-field name="description" min-occurs="0" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
                  <formal-name>Assessed Controls Description</formal-name>
                  <description>A human-readable description of in-scope controls specified for assessment.</description>
               </define-field>
               <assembly ref="property" max-occurs="unbounded">
                  <group-as name="props" in-json="ARRAY"/>
               </assembly>
               <assembly ref="link" max-occurs="unbounded">
                  <group-as name="links" in-json="ARRAY"/>
               </assembly>
               <choice>
                  <assembly ref="include-all" min-occurs="1"/>
                  <assembly ref="select-control-by-id" min-occurs="1" max-occurs="unbounded">
                     <use-name>include-control</use-name>
                     <group-as name="include-controls" in-json="ARRAY"/>
                     <remarks>
                        <p>Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.</p>
                     </remarks>
                  </assembly>
               </choice>
               <assembly ref="select-control-by-id" max-occurs="unbounded">
                  <use-name>exclude-control</use-name>
                  <group-as name="exclude-controls" in-json="ARRAY"/>
                  <remarks>
                     <p>Used to select a control for exclusion by the control's identifier. Specific control statements can be excluded by their statement identifier.</p>
                  </remarks>
               </assembly>
               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
            </model>
            <remarks>
               <p>The <code>include-all</code>, specifies all control identified in the <strong>baseline</strong> are included in the scope if this assessment, as specified by the <code>include-profile</code> statement within the linked SSP.</p>
               <p>Any control specified within <code>exclude-controls</code> must first be within a range of explicitly included controls, via <code>include-controls</code> or <code>include-all</code>.</p>
            </remarks>
         </define-assembly>

         <define-assembly name="control-objective-selection" min-occurs="0" max-occurs="unbounded">
            <formal-name>Referenced Control Objectives</formal-name>
            <description>Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.</description>
            <group-as name="control-objective-selections" in-json="ARRAY"/>
            <model>
               <define-field name="description" min-occurs="0" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
                  <formal-name>Control Objectives Description</formal-name>
                  <description>A human-readable description of this collection of control objectives.</description>
               </define-field>
               <assembly ref="property" max-occurs="unbounded">
                  <group-as name="props" in-json="ARRAY"/>
               </assembly>
               <assembly ref="link" max-occurs="unbounded">
                  <group-as name="links" in-json="ARRAY"/>
               </assembly>
               <choice>
                  <assembly ref="include-all" min-occurs="1"/>
                  <assembly ref="select-objective-by-id" min-occurs="1" max-occurs="unbounded">
                     <use-name>include-objective</use-name>
                     <group-as name="include-objectives" in-json="ARRAY"/>
                     <remarks>
                        <p>Used to select a control objective for inclusion by the control objective's identifier.</p>
                     </remarks>
                  </assembly>
               </choice>
               <assembly ref="select-objective-by-id" max-occurs="unbounded">
                  <use-name>exclude-objective</use-name>
                  <group-as name="exclude-objectives" in-json="ARRAY"/>
                  <remarks>
                     <p>Used to select a control objective for exclusion by the control objective's identifier.</p>
                  </remarks>
               </assembly>
               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
            </model>
            <remarks>
               <p>The <code>include-all</code> field, specifies all control objectives for any in-scope control. In-scope controls are defined in the <code>control-selection</code>.</p>
               <p>Any control objective specified within <code>exclude-controls</code> must first be within a range of explicitly included control objectives, via <code>include-objectives</code> or <code>include-all</code>.</p>
            </remarks>
         </define-assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
      <remarks>
         <p>In the context of an assessment plan, this construct is used to identify the controls and control objectives that are to be assessed. In the context of an assessment result, this construct is used to identify the actual controls and objectives that were assessed, reflecting any changes from the plan.</p>
         <p>When resolving the selection of controls and control objectives, the following processing will occur:</p>
         <p>1. Controls will be resolved by creating a set of controls based on the control-selections by first handling the includes, and then removing any excluded controls.</p>
         <p>2. The set of control objectives will be resolved from the set of controls that was generated in the previous step. The set of control objectives is based on the control-objective-selection by first handling the includes, and then removing any excluded control objectives.</p>
      </remarks>
   </define-assembly>

   <define-assembly name="select-control-by-id" scope="local">
      <formal-name>Select Control</formal-name>
      <description>Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.</description>
      <flag ref="control-id" required="yes"/>
      <model>
         <define-field name="statement-id" as-type="token" min-occurs="0" max-occurs="unbounded" >
            <formal-name>Include Specific Statements</formal-name>
            <description>Used to constrain the selection to only specificity identified statements.</description>
            <group-as name="statement-ids" in-json="ARRAY"/>
         </define-field>
      </model>
   </define-assembly>

   <define-assembly name="select-objective-by-id">
      <formal-name>Select Objective</formal-name>
      <description>Used to select a control objective for inclusion/exclusion based on the control objective's identifier.</description>
      <flag ref="objective-id" required="yes"/>
   </define-assembly>

   <!-- ********** ASSESSMENT SUBJECT Assembly ********** -->
   <define-assembly name="assessment-subject-placeholder">
      <formal-name>Assessment Subject Placeholder</formal-name>
      <description>Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.</description>
      <define-flag name="uuid" required="yes" as-type="uuid">
         <formal-name>Assessment Subject Placeholder Universally Unique Identifier</formal-name>
          <!-- Identifier Declaration -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined <em>UUID</em> of the <code>assessment subject placeholder</code> can be used to reference the data item locally or globally (e.g., in an <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">imported OSCAL instance</a>). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
      </define-flag>
      <model>
         <define-field name="description" as-type="markup-multiline" in-xml="WITH_WRAPPER">
            <formal-name>Assessment Subject Placeholder Description</formal-name>
            <description>A human-readable description of intent of this assessment subject placeholder.</description>
         </define-field>
         <define-assembly name="source" min-occurs="1" max-occurs="unbounded">
            <formal-name>Assessment Subject Source</formal-name>
            <description>Assessment subjects will be identified while conducting the referenced activity-instance.</description>
            <group-as name="sources" in-json="ARRAY"/>
            <define-flag name="task-uuid" required="yes" as-type="uuid">
               <formal-name>Task Universally Unique Identifier</formal-name>
               <!-- Identifier Declaration -->
               <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined <em>UUID</em> of the <code>task</code> can be used to reference the data item locally or globally (e.g., in an <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">imported OSCAL instance</a>). This UUID should be assigned <em>per-subject</em>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
            </define-flag>
         </define-assembly>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
   </define-assembly>

   <define-assembly name="assessment-subject">
      <formal-name>Subject of Assessment</formal-name>
      <description>Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.</description>
      <define-flag name="type" as-type="token" required="yes">
         <formal-name>Subject Type</formal-name>
         <description>Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.</description>
         <constraint>
            <allowed-values allow-other="yes">
               <enum value="component">The referenced assessment subject is a component defined in the SSP, or in the <code>local-definitions</code> of an Assessment Plan or Assessment Results.</enum>
               <enum value="inventory-item">The referenced assessment subject is a inventory item defined in the SSP, or in the <code>local-definitions</code> of an Assessment Plan or Assessment Results.</enum>
               <enum value="location">The referenced assessment subject is a <code>location</code> defined in the <code>metadata</code> of the SSP, Assessment Plan, or Assessment Results.</enum>
               <enum value="party">The referenced assessment subject is a person or team to interview, who is defined as a <code>party</code> in the <code>metadata</code> of the SSP, Assessment Plan, or Assessment Results.</enum>
               <enum value="user">The referenced assessment subject is a <code>user</code> defined in the SSP, or in the <code>local-definitions</code> of an Assessment Plan or Assessment Results.</enum>
            </allowed-values>
         </constraint>
      </define-flag>
      <model>
         <define-field name="description"  min-occurs="0" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
            <formal-name>Include Subjects Description</formal-name>
            <description>A human-readable description of the collection of subjects being included in this assessment.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <choice>
            <assembly ref="include-all" min-occurs="1"/>
            <assembly ref="select-subject-by-id" min-occurs="1" max-occurs="unbounded">
               <use-name>include-subject</use-name>
               <group-as name="include-subjects" in-json="ARRAY"/>
            </assembly>
         </choice>
         <assembly ref="select-subject-by-id" min-occurs="0" max-occurs="unbounded">
            <use-name>exclude-subject</use-name>
            <group-as name="exclude-subjects" in-json="ARRAY"/>
         </assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
      <remarks>
         <p>Processing of an include/exclude pair starts with processing the include, then removing matching entries in the exclude.</p>
      </remarks>
   </define-assembly>

   <define-assembly name="select-subject-by-id">
      <formal-name>Select Assessment Subject</formal-name>
      <description>Identifies a set of assessment subjects to include/exclude by UUID.</description>
      <flag ref="subject-uuid" required="yes"/>
      <flag ref="subject-type" required="yes">
         <use-name>type</use-name>
      </flag>
      <model>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
   </define-assembly>

   <define-flag name="subject-uuid" as-type="uuid" scope="local">
      <formal-name>Subject Universally Unique Identifier Reference</formal-name>
      <!-- Identifier Reference -->
      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.</description>
   </define-flag>

   <define-flag name="subject-type" as-type="token" scope="local">
      <formal-name>Subject Universally Unique Identifier Reference Type</formal-name>
      <description>Used to indicate the type of object pointed to by the <code>uuid-ref</code> within a subject.</description>
      <constraint>
         <allowed-values allow-other="yes">
            <enum value="component">Component</enum>
            <enum value="inventory-item">Inventory Item</enum>
            <enum value="location">Location</enum>
            <enum value="party">Interview Party</enum>
            <enum value="user">User</enum>
            <enum value="resource">Resource or Artifact</enum>
         </allowed-values>
      </constraint>
   </define-flag>

   <define-assembly name="subject-reference" scope="local">
      <formal-name>Identifies the Subject</formal-name>
      <!-- Identifier Reference -->
      <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented">human-oriented</a> identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.</description>
      <flag ref="subject-uuid" required="yes"/>
      <flag ref="subject-type" required="yes">
         <use-name>type</use-name>
      </flag>
      <model>
         <define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line">
            <!-- QUESTION: Is this needed, since the title from the target can be used? -->
            <formal-name>Subject Reference Title</formal-name>
            <description>The title or name for the referenced subject.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
      <remarks>
         <p>The subject reference UUID could point to an item defined in the SSP, AP, or AR.</p>
         <p>Tools should check look for the ID in every file imported directly or indirectly.</p>
      </remarks>
   </define-assembly>

   <!-- ********** ASSET Assembly ********** -->
   <define-assembly name="assessment-assets">
      <formal-name>Assessment Assets</formal-name>
      <description>Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.</description>
      <model>
         <assembly ref="system-component" min-occurs="0" max-occurs="unbounded">
            <use-name>component</use-name>
            <group-as name="components" in-json="ARRAY"/>
            <remarks>
               <p>Used to add any components for tools used during the assessment. These are represented here to avoid mixing with system components.</p>
               <p>The technology tools used by the assessor to perform the assessment, such as vulnerability scanners. In the assessment plan these are the intended tools. In the assessment results, these are the actual tools used, including any differences from the assessment plan.</p>
            </remarks>
         </assembly>
         <define-assembly name="assessment-platform" min-occurs="1" max-occurs="unbounded">
            <formal-name>Assessment Platform</formal-name>
            <description>Used to represent the toolset used to perform aspects of the assessment.</description>
            <group-as name="assessment-platforms" in-json="ARRAY"/>
            <define-flag name="uuid" required="yes" as-type="uuid">
               <formal-name>Assessment Platform Universally Unique Identifier</formal-name>
               <!-- Identifier Declaration -->
               <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined <em>UUID</em> of the <code>assessment platform</code> can be used to reference the data item locally or globally (e.g., in an <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">imported OSCAL instance</a>). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
            </define-flag>
            <model>
               <define-field name="title" max-occurs="1" as-type="markup-line">
                  <formal-name>Assessment Platform Title</formal-name>
                  <description>The title or name for the assessment platform.</description>
               </define-field>
               <assembly ref="property" max-occurs="unbounded">
                  <group-as name="props" in-json="ARRAY"/>
               </assembly>
               <assembly ref="link" max-occurs="unbounded">
                  <group-as name="links" in-json="ARRAY"/>
               </assembly>
               <define-assembly name="uses-component" min-occurs="0" max-occurs="unbounded">
                  <formal-name>Uses Component</formal-name>
                  <description>The set of components that are used by the assessment platform.</description>
                  <group-as name="uses-components" in-json="ARRAY"/>
                  <define-flag required="yes" name="component-uuid" as-type="uuid">
                     <formal-name>Component Universally Unique Identifier Reference</formal-name>
                     <!-- Identifier Reference -->
                     <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a component that is implemented as part of an inventory item.</description>
                  </define-flag>
                  <model>
                     <assembly ref="property" max-occurs="unbounded">
                        <group-as name="props" in-json="ARRAY"/>
                     </assembly>
                     <assembly ref="link" max-occurs="unbounded">
                        <group-as name="links" in-json="ARRAY"/>
                     </assembly>
                     <assembly ref="responsible-party" max-occurs="unbounded">
                        <group-as name="responsible-parties" in-json="ARRAY"/>
                     </assembly>
                     <field ref="remarks" in-xml="WITH_WRAPPER"/>
                  </model>
                  <constraint>
                     <is-unique id="unique-ssp-uses-component-responsible-party" target="responsible-party">
                        <key-field target="@role-id"/>
                        <remarks>
                           <p>Since <code>responsible-party</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
                        </remarks>
                     </is-unique>
                  </constraint>
               </define-assembly>
               <field ref="remarks" in-xml="WITH_WRAPPER"/>
            </model>
         </define-assembly>
      </model>
      <constraint>
         <is-unique id="unique-ssp-assessment-assets-component" target="component">
            <key-field target="@uuid"/>
            <remarks>
               <p>Since multiple assessment <code>component</code> entries can be provided, each component must have a unique <code>uuid</code>.</p>
            </remarks>
         </is-unique>
      </constraint>
   </define-assembly>

   <!-- ********** Assemblies used within RESULTS and POA&M Items ********** -->
   <define-assembly name="finding-target">
      <formal-name>Objective Status</formal-name>
      <description>Captures an assessor's conclusions regarding the degree to which an objective is satisfied.</description>
      <define-flag name="type" as-type="string" required="yes">
         <formal-name>Finding Target Type</formal-name>
         <description>Identifies the type of the target.</description>
         <constraint>
            <allowed-values>
               <enum value="statement-id">A reference to a control statement identifier within a control.</enum>
               <enum value="objective-id">A reference to a control objective identifier within a control.</enum>
            </allowed-values>
         </constraint>
         <remarks>
            <p>The target will always be a reference to: 1) a control statement, or 2) a control objective. In the former case, there is always a single top-level statement within a control. Thus, if the entire control is targeted, this statement identifier can be used.</p>
         </remarks>
      </define-flag>
      <define-flag name="target-id" as-type="token" required="yes">
         <formal-name>Finding Target Identifier Reference</formal-name>
         <!-- Identifier Reference -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference for a specific target qualified by the <code>type</code>.</description>
      </define-flag>
      <model>
         <define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line">
            <formal-name>Objective Status Title</formal-name>
            <description>The title for this objective status.</description>
         </define-field>
         <define-field name="description" min-occurs="0" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
            <formal-name>Objective Status Description</formal-name>
            <description>A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <define-assembly name="status" min-occurs="1">
            <formal-name>Objective Status</formal-name>
            <description>A determination of if the objective is satisfied or not within a given system.</description>
            <define-flag name="state" as-type="token" required="yes">
               <formal-name>Objective Status State</formal-name>
               <description>An indication as to whether the objective is satisfied or not.</description>
            <constraint>
                  <allowed-values>
                  <enum value="satisfied">The objective has been completely satisfied.</enum>
                  <enum value="not-satisfied">The objective has not been completely satisfied, but may be partially satisfied.</enum>
               </allowed-values>
            </constraint>
            </define-flag>
            <define-flag name="reason" as-type="token">
            <formal-name>Objective Status Reason</formal-name>
            <description>The reason the objective was given it's status.</description>
            <constraint>
                  <allowed-values allow-other="yes">
                  <enum value="pass">The target system or system component satisfied all the conditions.</enum>
                  <enum value="fail">The target system or system component did not satisfy all the conditions.</enum>
                  <enum value="other">Some other event took place that is not a pass or a fail.</enum>
               </allowed-values>
            </constraint>
         <remarks>
            <p>Reason may contain any value, and should be used to communicate additional information regarding the status.</p>
         </remarks>
            </define-flag>
            <model>
               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
            </model>
         </define-assembly>
         <assembly ref="implementation-status">
            <remarks>
               <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control was found to be implemented.</p>
            </remarks>
         </assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
   </define-assembly>

   <define-assembly name="finding">
      <formal-name>Finding</formal-name>
      <description>Describes an individual finding.</description>
      <define-flag name="uuid" required="yes" as-type="uuid">
        <formal-name>Finding Universally Unique Identifier</formal-name>
        <!-- Identifier Declaration -->
        <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this finding in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ar-identifiers">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>finding</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
      </define-flag>
      <model>
        <define-field name="title" min-occurs="1" as-type="markup-line">
          <formal-name>Finding Title</formal-name>
          <description>The title for this finding.</description>
        </define-field>
        <!-- CHANGE: Added WITH_WRAPPER to description -->
        <define-field name="description" min-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
          <formal-name>Finding Description</formal-name>
          <description>A human-readable description of this finding.</description>
        </define-field>
  
        <assembly ref="property" max-occurs="unbounded">
          <group-as name="props" in-json="ARRAY"/>
        </assembly>
        <assembly ref="link" max-occurs="unbounded">
          <group-as name="links" in-json="ARRAY"/>
        </assembly>
  
        <assembly ref="origin" max-occurs="unbounded">
          <group-as name="origins" in-json="ARRAY"/>
          <remarks>
            <p>Used to identify the individual and/or tool generated this finding.</p>
          </remarks>
        </assembly>
        <assembly ref="finding-target" min-occurs="1">
          <use-name>target</use-name>
        </assembly>
        <define-field name="implementation-statement-uuid" as-type="uuid" min-occurs="0" max-occurs="1">
          <formal-name>Implementation Statement UUID</formal-name>
          <!-- Identifier Reference -->
          <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to the implementation statement in the SSP to which this finding is related.</description>
        </define-field>
        <!-- CHANGED: replaced embedded observation with references -->
        <define-assembly name="related-observation" max-occurs="unbounded">
          <formal-name>Related Observation</formal-name>
          <description>Relates the finding to a set of referenced observations that were used to determine the finding.</description>
          <group-as name="related-observations" in-json="ARRAY"/>
          <define-flag name="observation-uuid" as-type="uuid" required="yes">
            <formal-name>Observation Universally Unique Identifier Reference</formal-name>
            <!-- Identifier Reference -->
            <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to an observation defined in the list of observations.</description>
          </define-flag>
        </define-assembly>
        <!-- CHANGED: replaced "risk" with new "assciated-risk" -->
        <define-assembly name="associated-risk" max-occurs="unbounded">
          <formal-name>Associated Risk</formal-name>
          <description>Relates the finding to a set of referenced risks that were used to determine the finding.</description>
          <group-as name="related-risks" in-json="ARRAY"/>
          <define-flag name="risk-uuid" as-type="uuid" required="yes">
            <formal-name>Risk Universally Unique Identifier Reference</formal-name>
            <!-- Identifier Reference -->
            <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a risk defined in the list of risks.</description>
          </define-flag>
        </define-assembly>
        <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
   </define-assembly>

   <define-assembly name="observation">
      <formal-name>Observation</formal-name>
      <description>Describes an individual observation.</description>
      <define-flag name="uuid" required="yes" as-type="uuid">
         <formal-name>Observation Universally Unique Identifier</formal-name>
         <!-- Identifier Declaration -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <em>cross-instance</em> scope that can be used to reference this observation elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>observation</code> can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
      </define-flag>
      <model>
         <define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line">
            <formal-name>Observation Title</formal-name>
            <description>The title for this observation.</description>
         </define-field>
         <define-field name="description" min-occurs="1" max-occurs="1" in-xml="WITH_WRAPPER"
            as-type="markup-multiline">
            <formal-name>Observation Description</formal-name>
            <description>A human-readable description of this assessment observation.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <define-field name="method" min-occurs="1" max-occurs="unbounded">
            <formal-name>Observation Method</formal-name>
            <description>Identifies how the observation was made.</description>
            <group-as name="methods" in-json="ARRAY"/>
            <constraint>
               <allowed-values target="." allow-other="yes">
                  <enum value="EXAMINE">An inspection was performed.</enum>
                  <enum value="INTERVIEW">An interview was performed.</enum>
                  <enum value="TEST">A manual or automated test was performed.</enum>
                  <enum value="UNKNOWN">This is only for use when converting historic content to OSCAL, where the conversion process cannot initially identify the appropriate method(s).</enum>
               </allowed-values>
            </constraint>
         </define-field>

         <define-field name="type" as-type="token" max-occurs="unbounded">
            <formal-name>Observation Type</formal-name>
            <description>Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.</description>
            <group-as name="types" in-json="ARRAY"/>
            <constraint>
               <allowed-values target="." allow-other="yes">
                  <enum value="ssp-statement-issue">A difference between the SSP implementation statement, and actual implementation.</enum>
                  <enum value="control-objective">An observation about the status of a the associated control objective.</enum>
                  <enum value="mitigation">A mitigating factor was identified.</enum>
                  <enum value="finding">An assessment finding. Used for observations made by tools, penetration testing, and other means.</enum>
                  <enum value="historic">An observation from a past assessment, which was converted to OSCAL at a later date.</enum>
               </allowed-values>
            </constraint>
         </define-field>
         <assembly ref="origin" max-occurs="unbounded">
            <group-as name="origins" in-json="ARRAY"/>
            <remarks>
               <p>Used to identify the individual and/or tool that gathered the evidence resulting in the observation identification.</p>
            </remarks>
         </assembly>
         <assembly ref="subject-reference" min-occurs="0" max-occurs="unbounded">
            <use-name>subject</use-name>
            <group-as name="subjects" in-json="ARRAY"/>
            <remarks>
               <p>Identifies who was interviewed, or what was tested or inspected.</p>
            </remarks>
         </assembly>

         <define-assembly name="relevant-evidence" max-occurs="unbounded">
            <formal-name>Relevant Evidence</formal-name>
            <description>Links this observation to relevant evidence.</description>
            <group-as name="relevant-evidence" in-json="ARRAY"/>
            <define-flag name="href" as-type="uri-reference">
               <formal-name>Relevant Evidence Reference</formal-name>
               <description>A resolvable URL reference to relevant evidence.</description>
               <remarks>
                  <p>This value may be one of:</p>
                  <ol>
                     <li>an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that points to a network resolvable resource,</li>
                     <li>a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#relative-reference">relative reference</a> pointing to a network resolvable resource whose base URI is the URI of the containing document, or</li>
                     <li>a bare URI fragment (i.e., `#uuid`) pointing to a <code>back-matter</code> resource in this or an imported document (see <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#linking-to-another-oscal-object">linking to another OSCAL object</a>).</li>
                  </ol>
               </remarks>
            </define-flag>
            <model>
               <define-field name="description" min-occurs="1" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
                  <formal-name>Relevant Evidence Description</formal-name>
                  <description>A human-readable description of this evidence.</description>
               </define-field>
               <assembly ref="property" max-occurs="unbounded">
                  <group-as name="props" in-json="ARRAY"/>
               </assembly>
               <assembly ref="link" max-occurs="unbounded">
                  <group-as name="links" in-json="ARRAY"/>
               </assembly>
               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
            </model>
         </define-assembly>
         <define-field name="collected" as-type="dateTime-with-timezone" min-occurs="1" max-occurs="1">
            <formal-name>Collected Field</formal-name>
            <description>Date/time stamp identifying when the finding information was collected.</description>
         </define-field>
         <define-field name="expires" as-type="dateTime-with-timezone" min-occurs="0" max-occurs="1">
            <formal-name>Expires Field</formal-name>
            <description>Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.</description>
         </define-field>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
<!--      <constraint>
         <!-\- TODO: review these and figure out where these go -\->
         <allowed-values target="origin/@type" allow-other="no">
            <!-\\- CHANGED: "tool" to "******" -\\->
            <enum value="tool">An assessment tool, defined in the assets section of the assessment plan or results.</enum>
            <enum value="test-method">A test method defined in the assessment-activities section of the assessment plan or results.</enum>
            <enum value="task">A task defined in the schedule of the assessment plan or results.</enum>
            <enum value="included-activity">An assessment activity defined in the assessment-activities section of the assessment plan or results.</enum>
            <enum value="other">The UUID points elsewhere in the this file or an imported file.</enum>
         </allowed-values>
      </constraint>
-->   </define-assembly>

   <define-assembly name="origin">
      <formal-name>Origin</formal-name>
      <description>Identifies the source of the finding, such as a tool, interviewed person, or activity.</description>
      <model>
         <assembly ref="origin-actor" min-occurs="1" max-occurs="unbounded">
            <use-name>actor</use-name>
            <group-as name="actors" in-json="ARRAY"/>
         </assembly>
         <assembly ref="related-task" max-occurs="unbounded">
            <group-as name="related-tasks" in-json="ARRAY"/>
         </assembly>
      </model>
   </define-assembly>

   <define-assembly name="origin-actor">
      <formal-name>Originating Actor</formal-name>
      <description>The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.</description>
      <define-flag name="type" as-type="token" required="yes">
         <formal-name>Actor Type</formal-name>
         <description>The kind of actor.</description>
         <constraint>
            <allowed-values>
               <enum value="tool">A reference to a tool component defined with the assessment assets.</enum>
               <enum value="assessment-platform">A reference to an assessment-platform defined with the assessment assets.</enum>
               <enum value="party">A reference to a party defined within the document metadata.</enum>
            </allowed-values>
         </constraint>
      </define-flag>
      <define-flag name="actor-uuid" as-type="uuid" required="yes">
         <formal-name>Actor Universally Unique Identifier Reference</formal-name>
         <!-- Identifier Reference -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to the tool or person based on the associated type.</description>
      </define-flag>
      <define-flag name="role-id" as-type="token">
         <formal-name>Actor Role</formal-name>
         <description>For a party, this can optionally be used to specify the role the actor was performing.</description>
      </define-flag>
      <model>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
      </model>
   </define-assembly>

   <define-assembly name="related-task">
      <formal-name>Task Reference</formal-name>
      <description>Identifies an individual task for which the containing object is a consequence of.</description>
      <define-flag name="task-uuid" required="yes" as-type="uuid">
         <formal-name>Task Universally Unique Identifier Reference</formal-name>
         <!-- Identifier Reference -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a unique task.</description>
      </define-flag>
      <model>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <assembly ref="responsible-party" max-occurs="unbounded">
            <group-as name="responsible-parties" in-json="ARRAY"/>
            <remarks>
               <p>Identifies the person or organization responsible for performing a specific role defined by the activity.</p>
            </remarks>
         </assembly>
         <assembly ref="assessment-subject" max-occurs="unbounded">
            <use-name>subject</use-name>
            <group-as name="subjects" in-json="ARRAY"/>
            <remarks>
               <p>The assessment subjects that the task was performed against.</p>
            </remarks>
         </assembly>
         <define-assembly name="identified-subject">
            <formal-name>Identified Subject</formal-name>
            <description>Used to detail assessment subjects that were identfied by this task.</description>

            <define-flag name="subject-placeholder-uuid" required="yes" as-type="uuid">
               <formal-name>Assessment Subject Placeholder Universally Unique Identifier Reference</formal-name>
               <!-- Identifier Reference -->
               <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a unique assessment subject placeholder defined by this task.</description>
            </define-flag>
            <model>
               <assembly ref="assessment-subject" min-occurs="1" max-occurs="unbounded">
                  <use-name>subject</use-name>
                  <group-as name="subjects" in-json="ARRAY"/>
                  <remarks>
                     <p>The assessment subjects that the task identified, which will be used by another task through a subject-placeholder reference. Such a task will "consume" these subjects.</p>
                  </remarks>
               </assembly>
            </model>
         </define-assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
      <constraint>
         <is-unique id="unique-ssp-related-task-responsible-party" target="responsible-party">
            <key-field target="@role-id"/>
            <remarks>
               <p>Since <code>responsible-party</code> associates multiple <code>party-uuid</code> entries with a single <code>role-id</code>, each role-id must be referenced only once.</p>
            </remarks>
         </is-unique>
      </constraint>
   </define-assembly>

   <define-field name="threat-id" as-type="uri">
      <!-- This is an id because it is an externally provided identifier -->
      <formal-name>Threat ID</formal-name>
      <description>A pointer, by ID, to an externally-defined threat.</description>
      <json-value-key>id</json-value-key>
      <define-flag name="system" as-type="uri" required="yes">
         <formal-name>Threat Type Identification System</formal-name>
         <description>Specifies the source of the threat information.</description>
         <constraint>
            <allowed-values allow-other="yes">
               <enum value="http://fedramp.gov" deprecated="1.0.3">**deprecated** The value conforms to FedRAMP definitions. This value has been deprecated; use <code>http://fedramp.gov/ns/oscal</code> instead.</enum>
               <enum value="http://fedramp.gov/ns/oscal">The value conforms to FedRAMP definitions.</enum>
            </allowed-values>
         </constraint>
         <remarks>
            <p>This value must be an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that serves as a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#use-as-a-naming-system-identifier">naming system identifier</a>.</p>
         </remarks>
      </define-flag>
      <define-flag name="href" as-type="uri-reference">
         <!-- TODO: consider deprecating this in favor of a link -->
         <formal-name>Threat Information Resource Reference</formal-name>
         <description>An optional location for the threat data, from which this ID originates.</description>
         <remarks>
            <p>This value may be one of:</p>
            <ol>
               <li>an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that points to a network resolvable resource,</li>
               <li>a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#relative-reference">relative reference</a> pointing to a network resolvable resource whose base URI is the URI of the containing document, or</li>
               <li>a bare URI fragment (i.e., `#uuid`) pointing to a <code>back-matter</code> resource in this or an imported document (see <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#linking-to-another-oscal-object">linking to another OSCAL object</a>).</li>
            </ol>
         </remarks>
      </define-flag>
   </define-field>

   <define-assembly name="risk">
      <formal-name>Identified Risk</formal-name>
      <description>An identified risk.</description>
      <define-flag name="uuid" required="yes" as-type="uuid">
         <formal-name>Risk Universally Unique Identifier</formal-name>
         <!-- Identifier Declaration -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this risk elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>risk</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
      </define-flag>
      <model>
         <define-field name="title" min-occurs="1" max-occurs="1" as-type="markup-line">
            <formal-name>Risk Title</formal-name>
            <description>The title for this risk.</description>
         </define-field>
         <define-field name="description" min-occurs="1" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
            <formal-name>Risk Description</formal-name>
            <description>A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.</description>
         </define-field>
         <define-field name="statement" as-type="markup-multiline" min-occurs="1" in-xml="WITH_WRAPPER">
            <!-- QUESTION: how is this different from description? -->
            <!-- TODO: remove this -->
            <formal-name>Risk Statement</formal-name>
            <description>An summary of impact for how the risk affects the system.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <field ref="risk-status" min-occurs="1">
            <use-name>status</use-name>
         </field>
         <assembly ref="origin" max-occurs="unbounded">
            <group-as name="origins" in-json="ARRAY"/>
            <remarks>
               <p>Used to identify the individual and/or tool that identified this risk.</p>
            </remarks>
         </assembly>
         <field ref="threat-id" min-occurs="0" max-occurs="unbounded">
            <!-- QUESTION: Should this be moved to risk? -->
            <group-as name="threat-ids" in-json="ARRAY"/>
         </field>

         <assembly ref="characterization" min-occurs="0" max-occurs="unbounded">
            <group-as name="characterizations" in-json="ARRAY"/>
         </assembly>
         <define-assembly name="mitigating-factor" max-occurs="unbounded">
            <formal-name>Mitigating Factor</formal-name>
            <description>Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.</description>
            <group-as name="mitigating-factors" in-json="ARRAY"/>
            <define-flag name="uuid" required="yes" as-type="uuid">
               <formal-name>Mitigating Factor Universally Unique Identifier</formal-name>
               <!-- Identifier Declaration -->
               <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this mitigating factor elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>mitigating factor</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
            </define-flag>
            <define-flag name="implementation-uuid" as-type="uuid">
               <formal-name>Implementation UUID</formal-name>
               <!-- Identifier Declaration -->
               <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this implementation statement elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>s. The locally defined <em>UUID</em> of the <code>implementation statement</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
            </define-flag>
            <model>
               <define-field name="description" min-occurs="1" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
                  <formal-name>Mitigating Factor Description</formal-name>
                  <description>A human-readable description of this mitigating factor.</description>
               </define-field>
               <assembly ref="property" max-occurs="unbounded">
                  <group-as name="props" in-json="ARRAY"/>
               </assembly>
               <assembly ref="link" max-occurs="unbounded">
                  <group-as name="links" in-json="ARRAY"/>
               </assembly>
               <assembly ref="subject-reference" min-occurs="0" max-occurs="unbounded">
                  <use-name>subject</use-name>
                  <group-as name="subjects" in-json="ARRAY"/>
                  <remarks>
                     <p>Links identifiable elements of the system to this mitigating factor, such as an inventory-item or component.</p>
                  </remarks>
               </assembly>
            </model>
         </define-assembly>

         <define-field name="deadline" as-type="dateTime-with-timezone">
            <formal-name>Risk Resolution Deadline</formal-name>
            <description>The date/time by which the risk must be resolved.</description>
         </define-field>

         <assembly ref="response" min-occurs="0" max-occurs="unbounded">
            <group-as name="remediations" in-json="ARRAY"/>
         </assembly>
         <define-assembly name="risk-log">
            <formal-name>Risk Log</formal-name>
            <description>A log of all risk-related tasks taken.</description>
            <model>
               <define-assembly name="entry" min-occurs="1" max-occurs="unbounded">
                  <formal-name>Risk Log Entry</formal-name>
                  <description>Identifies an individual risk response that occurred as part of managing an identified risk.</description>
                  <group-as name="entries" in-json="ARRAY"/>
                  <define-flag name="uuid" required="yes" as-type="uuid">
                     <formal-name>Risk Log Entry Universally Unique Identifier</formal-name>
                     <!-- Identifier Declaration -->
                     <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this risk log entry elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>risk log entry</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
                  </define-flag>
                  <model>
                     <define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line">
                        <formal-name>Title</formal-name>
                        <description>The title for this risk log entry.</description>
                     </define-field>
                     <define-field name="description" min-occurs="0" max-occurs="1" as-type="markup-multiline" in-xml="WITH_WRAPPER">
                        <formal-name>Risk Task Description</formal-name>
                        <description>A human-readable description of what was done regarding the risk.</description>
                     </define-field>
                     <define-field name="start" as-type="dateTime-with-timezone" min-occurs="1" max-occurs="1">
                        <formal-name>Start</formal-name>
                        <description>Identifies the start date and time of the event.</description>
                     </define-field>
                     <define-field name="end" as-type="dateTime-with-timezone" max-occurs="1">
                        <formal-name>End</formal-name>
                        <description>Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.</description>
                     </define-field>
                     <assembly ref="property" max-occurs="unbounded">
                        <group-as name="props" in-json="ARRAY"/>
                     </assembly>
                     <assembly ref="link" max-occurs="unbounded">
                        <group-as name="links" in-json="ARRAY"/>
                     </assembly>
                     <assembly ref="logged-by" max-occurs="unbounded">
                        <group-as name="logged-by" in-json="ARRAY"/>
                     </assembly>
                     <field ref="risk-status">
                        <use-name>status-change</use-name>
                        <remarks>
                           <p>Identifies a change in risk status made resulting from the task described by this risk log entry. This allows the risk's status history to be captured as a sequence of risk log entries.</p>
                        </remarks>
                     </field>
                     <define-assembly name="related-response" max-occurs="unbounded">
                        <formal-name>Risk Response Reference</formal-name>
                        <description>Identifies an individual risk response that this log entry is for.</description>
                        <group-as name="related-responses" in-json="ARRAY"/>
                        <define-flag name="response-uuid" required="yes" as-type="uuid">
                           <formal-name>Response Universally Unique Identifier Reference</formal-name>
                           <!-- Identifier Reference -->
                           <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to a unique risk response.</description>
                        </define-flag>
                        <model>
                           <assembly ref="property" max-occurs="unbounded">
                              <group-as name="props" in-json="ARRAY"/>
                           </assembly>
                           <assembly ref="link" max-occurs="unbounded">
                              <group-as name="links" in-json="ARRAY"/>
                           </assembly>
                           <assembly ref="related-task" max-occurs="unbounded">
                              <group-as name="related-tasks" in-json="ARRAY"/>
                              <remarks>
                                 <p>This is used to identify the task(s) that this log entry was generated for.</p>
                              </remarks>
                           </assembly>
                           <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
                        </model>
                     </define-assembly>
                     <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
                  </model>
                  <constraint>
                     <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
                        <enum value="type">The type of remediation tracking entry. Can be multi-valued.</enum>
                     </allowed-values>
                     <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value" allow-other="yes">
                        <enum value="vendor-check-in">Contacted vendor to determine the status of a pending fix to a known vulnerability.</enum>
                        <enum value="status-update">Information related to the current state of response to this risk.</enum>
                        <enum value="milestone-complete">A significant step in the response plan has been achieved.</enum>
                        <enum value="mitigation">An activity was completed that reduces the likelihood or impact of this risk.</enum>
                        <enum value="remediated">An activity was completed that eliminates the likelihood or impact of this risk.</enum>
                        <!-- QUESTION: Is this needed, since this is handled by the status field? -->
                        <enum value="closed">The risk is no longer applicable to the system.</enum>
                        <enum value="dr-submission">A deviation request was made to the authorizing official.</enum>
                        <enum value="dr-updated">A previously submitted deviation request has been modified.</enum>
                        <enum value="dr-approved">The authorizing official approved the deviation.</enum>
                        <enum value="dr-rejected">The authorizing official rejected the deviation.</enum>
                     </allowed-values>
                  </constraint>
               </define-assembly>
            </model>
         </define-assembly>

         <define-assembly name="related-observation" max-occurs="unbounded">
            <formal-name>Related Observation</formal-name>
            <description>Relates the finding to a set of referenced observations that were used to determine the finding.</description>
            <group-as name="related-observations" in-json="ARRAY"/>
            <define-flag name="observation-uuid" as-type="uuid" required="yes">
               <formal-name>Observation Universally Unique Identifier Reference</formal-name>
               <!-- Identifier Reference -->
               <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to an observation defined in the list of observations.</description>
            </define-flag>
         </define-assembly>
      </model>
      <constraint>
         <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
            <enum value="false-positive">The risk has been confirmed to be a false positive.</enum>
            <enum value="accepted">The risk has been accepted. No further action will be taken.</enum>
            <enum value="risk-adjusted">The risk has been adjusted.</enum>
            <enum value="priority">A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority)</enum>
         </allowed-values>
         <matches target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='priority']/@value" datatype="integer" />
      </constraint>
   </define-assembly>

   <define-assembly name="logged-by">
      <formal-name>Logged By</formal-name>
      <description>Used to indicate who created a log entry in what role.</description>
      <define-flag name="party-uuid" as-type="uuid" required="yes">
         <formal-name>Party UUID Reference</formal-name>
         <!-- Identifier Reference -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a> identifier reference to the party who is making the log entry.</description>
      </define-flag>
      <define-flag name="role-id" as-type="token">
         <formal-name>Actor Role</formal-name>
         <description>A point to the role-id of the role in which the party is making the log entry.</description>
      </define-flag>
   </define-assembly>

   <define-field name="risk-status" as-type="token">
      <formal-name>Risk Status</formal-name>
      <description>Describes the status of the associated risk.</description>
      <constraint>
         <allowed-values target="." allow-other="yes">
            <enum value="open">The risk has been identified.</enum>
            <enum value="investigating">The identified risk is being investigated. (Open risk)</enum>
            <enum value="remediating">Remediation activities are underway, but are not yet complete. (Open risk)</enum>
            <enum value="deviation-requested">A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk)</enum>
            <enum value="deviation-approved">A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk)</enum>
            <enum value="closed">The risk has been resolved.</enum>
         </allowed-values>
      </constraint>
   </define-field>

   <define-assembly name="characterization">
      <formal-name>Characterization</formal-name>
      <description>A collection of descriptive data about the containing object from a specific origin.</description>
      <model>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <assembly ref="origin" min-occurs="1">
            <remarks>
               <p>metadata about the specific actor that generated this descriptive data.</p>
            </remarks>
         </assembly>
         <define-assembly name="facet" min-occurs="1" max-occurs="unbounded">
            <formal-name>Facet</formal-name>
            <description>An individual characteristic that is part of a larger set produced by the same actor.</description>
            <group-as name="facets" in-json="ARRAY"/>
            <define-flag name="name" as-type="token" required="yes">
               <formal-name>Facet Name</formal-name>
               <description>The name of the risk metric within the specified system.</description>
            </define-flag>
            <define-flag name="system" as-type="uri" required="yes">
               <formal-name>Naming System</formal-name>
               <description>Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.</description>
               <constraint>
                  <allowed-values allow-other="yes"><!-- Other values -->
                     <enum value="http://fedramp.gov" deprecated="1.0.3">**deprecated** The FedRAMP naming system. This has been deprecated; use <code>http://fedramp.gov/ns/oscal</code> instead.</enum>
                     <enum value="http://fedramp.gov/ns/oscal">The FedRAMP naming system.</enum>
                     <enum value="http://csrc.nist.gov/ns/oscal"/>
                     <enum value="http://csrc.nist.gov/ns/oscal/unknown">The facet is from an unknown taxonomy. The meaning of the name is tool or organization specific.</enum>
                     <enum value="http://cve.mitre.org"/>
                     <!-- To identify which CVSS values to use -->
                     <enum value="http://www.first.org/cvss/v2.0"/>
                     <enum value="http://www.first.org/cvss/v3.0"/>
                     <enum value="http://www.first.org/cvss/v3.1"/>
                  </allowed-values>
               </constraint>
               <remarks>
                  <p>This value must be an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that serves as a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#use-as-a-naming-system-identifier">naming system identifier</a>.</p>
               </remarks>
            </define-flag>
            <define-flag name="value" as-type="string" required="yes">
               <formal-name>Facet Value</formal-name>
               <description>Indicates the value of the facet.</description>
            </define-flag>
            <model>
               <assembly ref="property" max-occurs="unbounded">
                  <group-as name="props" in-json="ARRAY"/>
               </assembly>
               <assembly ref="link" max-occurs="unbounded">
                  <group-as name="links" in-json="ARRAY"/>
               </assembly>
               <field ref="remarks" in-xml="WITH_WRAPPER"/>
            </model>
            <constraint>
               <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
                  <enum value="state">Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value has be changed after some adjustments have been made (e.g., to identify residual risk).</enum>
               </allowed-values>
               <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='state']/@value"><!-- For values related to initial and residual (mitigated) risk -->
                  <enum value="initial">As first identified.</enum>
                  <enum value="adjusted">Indicates that residual risk remains after some adjustments have been made.</enum>
               </allowed-values>
               <!-- TODO: What about "vulnerability-id", "plugin-id"? Should this be added to FedRAMP? -->
               <allowed-values target="(.)[@system='http://csrc.nist.gov/ns/oscal']/@name">
                  <enum value="likelihood">General likelihood rating.</enum>
                  <enum value="impact">General impact rating.</enum>
                  <enum value="risk">General risk rating.</enum>
                  <enum value="severity">General severity rating.</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://fedramp.gov','http://fedramp.gov/ns/oscal')]/@name">
                  <enum value="likelihood">Likelihood as defined by FedRAMP. The <code>class</code> can be used to specify 'initial' and 'adjusted' risk states.</enum>
                  <enum value="impact">Impact as defined by FedRAMP. The <code>class</code> can be used to specify 'initial' and 'adjusted' risk states.</enum>
                  <enum value="risk">Risk as calculated according to FedRAMP. The <code>class</code> can be used to specify 'initial' and 'adjusted' risk states.</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://cve.mitre.org']/@name">
                  <enum value="cve-id">An identifier managed by the CVE program (see <a>https://cve.mitre.org/</a>).</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://www.first.org/cvss/v2.0']/@name">
                  <enum value="access-vector">Base: Access Vector</enum>
                  <enum value="access-complexity">Base: Access Complexity</enum>
                  <enum value="authentication">Base: Authentication</enum>
                  <enum value="confidentiality-impact">Base: Confidentiality Impact</enum>
                  <enum value="integrity-impact">Base: Integrity Impact</enum>
                  <enum value="availability-impact">Base: Availability Impact</enum>
                  <enum value="exploitability">Temporal: Exploitability</enum>
                  <enum value="remediation-level">Temporal: Remediation Level</enum>
                  <enum value="report-confidence">Temporal: Report Confidence</enum>
                  <enum value="collateral-damage-potential">Environmental: Collateral Damage Potential</enum>
                  <enum value="target-distribution">Environmental: Target Distribution</enum>
                  <enum value="confidentiality-requirement">Environmental: Confidentiality Requirement</enum>
                  <enum value="integrity-requirement">Environmental: Integrity Requirement</enum>
                  <enum value="availability-requirement">Environmental: Availability Requirement</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://www.first.org/cvss/v2.0' and @name='access-vector']/@value">
                  <enum value="local">Local</enum>
                  <enum value="adjacent-network">Network Adjacent</enum>
                  <enum value="network">Network</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://www.first.org/cvss/v2.0' and @name='access-complexity']/@value">
                  <enum value="high">High</enum>
                  <enum value="medium">Medium</enum>
                  <enum value="low">Low</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://www.first.org/cvss/v2.0' and @name='authentication']/@value">
                  <enum value="multiple">Multiple</enum>
                  <enum value="single">Single</enum>
                  <enum value="none">None</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://www.first.org/cvss/v2.0' and @name=('confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value">
                  <enum value="none">None</enum>
                  <enum value="partial">Partial</enum>
                  <enum value="complete">Complete</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://www.first.org/cvss/v2.0' and @name='exploitability']/@value">
                  <enum value="unproven">Unproven</enum>
                  <enum value="proof-of-concept">Proof-of-Concept</enum>
                  <enum value="functional">Functional</enum>
                  <enum value="high">High</enum>
                  <enum value="not-defined">Not Defined</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://www.first.org/cvss/v2.0' and @name='remediation-level']/@value">
                  <enum value="official-fix">Official Fix</enum>
                  <enum value="temporary-fix">Temporary Fix</enum>
                  <enum value="workaround">Workaround</enum>
                  <enum value="unavailable">Unavailable</enum>
                  <enum value="not-defined">Not Defined</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://www.first.org/cvss/v2.0' and @name='report-confidence']/@value">
                  <enum value="unconfirmed">Unconfirmed</enum>
                  <enum value="uncorroborated">Uncorroborated</enum>
                  <enum value="confirmed">Confirmed</enum>
                  <enum value="not-defined">Not Defined</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://www.first.org/cvss/v2.0' and @name='collateral-damage-potential']/@value">
                  <enum value="none">None</enum>
                  <enum value="low">Low (light loss)</enum>
                  <enum value="low-medium">Low Medium</enum>
                  <enum value="medium-high">Medium High</enum>
                  <enum value="high">High (catastrophic loss)</enum>
                  <enum value="not-defined">Not Defined</enum>
               </allowed-values>
               <allowed-values target="(.)[@system='http://www.first.org/cvss/v2.0' and @name=('target-distribution', 'confidentiality-requirement', 'integrity-requirement', 'availability-requirement')]/@value">
                  <enum value="none"></enum>
                  <enum value="low"></enum>
                  <enum value="medium"></enum>
                  <enum value="high"></enum>
                  <enum value="not-defined"></enum>
               </allowed-values>

               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1')]/@name">
                  <enum value="attack-vector">Base: Attack Vector</enum>
                  <enum value="access-complexity">Base: Attack Complexity</enum>
                  <enum value="privileges-required">Base: Privileges Required</enum>
                  <enum value="user-interaction">Base: User Interaction</enum>
                  <enum value="scope">Base: Scope</enum>
                  <enum value="confidentiality-impact">Base: Confidentiality Impact</enum>
                  <enum value="integrity-impact">Base: Integrity Impact</enum>
                  <enum value="availability-impact">Base: Availability Impact</enum>
                  <enum value="exploit-code-maturity">Temporal: Exploit Code Maturity</enum>
                  <enum value="remediation-level">Temporal: Remediation Level</enum>
                  <enum value="report-confidence">Temporal: Report Confidence</enum>
                  <enum value="modified-attack-vector">Environmental: Modified Attack Vector</enum>
                  <enum value="modified-attack-complexity">Environmental: Modified Attack Complexity</enum>
                  <enum value="modified-privileges-required">Environmental: Modified Privileges Required</enum>
                  <enum value="modified-user-interaction">Environmental: Modified User Interaction</enum>
                  <enum value="modified-scope">Environmental: Modified Scope</enum>
                  <enum value="modified-confidentiality">Environmental: Modified Confidentiality</enum>
                  <enum value="modified-integrity">Environmental: Modified Integrity</enum>
                  <enum value="modified-availability">Environmental: Modified Availability</enum>
                  <enum value="confidentiality-requirement">Environmental: Confidentiality Requirement Modifier</enum>
                  <enum value="integrity-requirement">Environmental: Integrity Requirement Modifier</enum>
                  <enum value="availability-requirement">Environmental: Availability Requirement Modifier</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='access-vector']/@value">
                  <enum value="network">Network</enum>
                  <enum value="adjacent">Adjacent</enum>
                  <enum value="local">Local</enum>
                  <enum value="physical">Physical</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='access-complexity']/@value">
                  <enum value="high">High</enum>
                  <enum value="low">Low</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('privileges-required', 'confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value">
                  <enum value="none">None</enum>
                  <enum value="low">Low</enum>
                  <enum value="high">High</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='user-interaction']/@value">
                  <enum value="none">None</enum>
                  <enum value="required">Required</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='scope']/@value">
                  <enum value="unchanged">Unchanged</enum>
                  <enum value="changed">Changed</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='exploit-code-maturity']/@value">
                  <enum value="not-defined">Not Defined</enum>
                  <enum value="unproven">Unproven</enum>
                  <enum value="proof-of-concept">Proof-of-Concept</enum>
                  <enum value="functional">Functional</enum>
                  <enum value="high">High</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='remediation-level']/@value">
                  <enum value="not-defined">Not Defined</enum>
                  <enum value="official-fix">Official Fix</enum>
                  <enum value="temporary-fix">Temporary Fix</enum>
                  <enum value="workaround">Workaround</enum>
                  <enum value="unavailable">Unavailable</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='report-confidence']/@value">
                  <enum value="not-defined">Not Defined</enum>
                  <enum value="unknown">Unknown</enum>
                  <enum value="reasonable">Reasonable</enum>
                  <enum value="confirmed">Confirmed</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('confidentiality-requirement', 'integrity-requirement', 'availability-requirement')]/@value">
                  <enum value="not-defined">Not Defined</enum>
                  <enum value="low">Low</enum>
                  <enum value="medium">Medium</enum>
                  <enum value="high">High</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-attack-vector']/@value">
                  <enum value="not-defined">Not Defined</enum>
                  <enum value="network">Network</enum>
                  <enum value="adjacent">Adjacent</enum>
                  <enum value="local">Local</enum>
                  <enum value="physical">Physical</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-attack-complexity']/@value">
                  <enum value="not-defined">Not Defined</enum>
                  <enum value="high">High</enum>
                  <enum value="low">Low</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('modified-privileges-required', 'modified-confidentiality', 'modified-integrity', 'modified-availability')]/@value">
                  <enum value="not-defined">Not Defined</enum>
                  <enum value="none">None</enum>
                  <enum value="low">Low</enum>
                  <enum value="high">High</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-user-interaction']/@value">
                  <enum value="not-defined">Not Defined</enum>
                  <enum value="none">None</enum>
                  <enum value="required">Required</enum>
               </allowed-values>
               <allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='modified-scope']/@value">
                  <enum value="not-defined">Not Defined</enum>
                  <enum value="unchanged">Unchanged</enum>
                  <enum value="changed">Changed</enum>
               </allowed-values>
            </constraint>
         </define-assembly>
      </model>
   </define-assembly>

   <define-assembly name="response" scope="local">
      <formal-name>Risk Response</formal-name>
      <description>Describes either recommended or an actual plan for addressing the risk.</description>
      <define-flag name="uuid" required="yes" as-type="uuid">
         <formal-name>Remediation Universally Unique Identifier</formal-name>
         <!-- Identifier Declaration -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this remediation elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>risk response</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
      </define-flag>
      <define-flag name="lifecycle" as-type="token" required="yes">
         <formal-name>Remediation Intent</formal-name>
         <description>Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.</description>
         <constraint>
            <allowed-values allow-other="yes">
               <enum value="recommendation">Recommended remediation.</enum>
               <enum value="planned">The actions intended to resolve the risk.</enum>
               <enum value="completed">This remediation activities were performed to address the risk.</enum>
            </allowed-values>
         </constraint>
      </define-flag>
      <model>
         <define-field name="title" min-occurs="1" max-occurs="1" as-type="markup-line">
            <formal-name>Response Title</formal-name>
            <description>The title for this response activity.</description>
         </define-field>
         <define-field name="description" min-occurs="1" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
            <formal-name>Response Description</formal-name>
            <description>A human-readable description of this response plan.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <assembly ref="origin" max-occurs="unbounded">
            <group-as name="origins" in-json="ARRAY"/>
            <remarks>
               <p>Used to identify the individual and/or tool that generated this recommended or planned response.</p>
            </remarks>
         </assembly>

         <define-assembly name="required-asset" max-occurs="unbounded">
            <!-- QUESTION: Do we need to identify a set of remediation assets similar to assessment-assets -->
            <formal-name>Required Asset</formal-name>
            <description>Identifies an asset required to achieve remediation.</description>
            <group-as name="required-assets" in-json="ARRAY"/>
            <define-flag name="uuid" required="yes" as-type="uuid">
               <formal-name>Required Universally Unique Identifier</formal-name>
               <!-- Identifier Declaration -->
               <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this required asset elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>asset</code> can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
            </define-flag>
            <model>
               <assembly ref="subject-reference" min-occurs="0" max-occurs="unbounded">
                  <use-name>subject</use-name>
                  <group-as name="subjects" in-json="ARRAY"/>
                  <remarks>
                     <p>Identifies an asset associated with this requirement, such as a party, system component, or inventory-item.</p>
                  </remarks>
               </assembly>
               <define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line">
                  <formal-name>Title for Required Asset</formal-name>
                  <description>The title for this required asset.</description>
               </define-field>
               <define-field name="description" min-occurs="1" max-occurs="1" in-xml="WITH_WRAPPER" as-type="markup-multiline">
                  <formal-name>Description of Required Asset</formal-name>
                  <description>A human-readable description of this required asset.</description>
               </define-field>
               <assembly ref="property" max-occurs="unbounded">
                  <group-as name="props" in-json="ARRAY"/>
               </assembly>
               <assembly ref="link" max-occurs="unbounded">
                  <group-as name="links" in-json="ARRAY"/>
               </assembly>
               <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
            </model>
         </define-assembly>
         <assembly ref="task" min-occurs="0" max-occurs="unbounded">
            <group-as name="tasks" in-json="ARRAY"/>
         </assembly>
         <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
      </model>
      <constraint>
         <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
            <enum value="type"></enum>
         </allowed-values>
         <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value">
            <enum value="avoid">The risk will be eliminated.</enum>
            <enum value="mitigate">The risk will be reduced.</enum>
            <enum value="transfer">The risk will be transferred to another organization or entity.</enum>
            <enum value="accept">The risk will continue to exist without further efforts to address it. (Sometimes referred to as "Operationally required")</enum>
            <enum value="share">The risk will be partially transferred to another organization or entity.</enum>
            <enum value="contingency">Plans will be made to address the risk impact if the risk occurs. (This is a form of mitigation.)</enum>
            <enum value="none">No response, such as when the identified risk is found to be a false positive.</enum>
         </allowed-values>
      </constraint>
   </define-assembly>

   <define-flag name="objective-id" as-type="token" scope="local">
      <!-- This is an id to sync with control syntax -->
      <formal-name>Objective ID</formal-name>
      <description>Points to an assessment objective.</description>
   </define-flag>

   <define-assembly name="assessment-part"> <!--scope="local"-->
      <!-- QUESTION: Is it confusing to use part here, given the control meaning of part? -->
      <formal-name>Assessment Part</formal-name>
      <description>A partition of an assessment plan or results or a child of another part.</description>
      <use-name>part</use-name>
      <define-flag name="uuid" as-type="uuid">
         <!-- CHANGE: from uuiid to uuid -->
         <formal-name>Part Identifier</formal-name>
         <!-- Identifier Declaration -->
         <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">machine-oriented</a>, <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally unique</a> identifier with <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a> scope that can be used to reference this part elsewhere in <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope">this or other OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>part</code> can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>, which means it should be consistently used to identify the same subject across revisions of the document.</description>
      </define-flag>
      <define-flag name="name" as-type="token" required="yes">
         <formal-name>Part Name</formal-name>
         <description>A textual label that uniquely identifies the part's semantic type.</description>
         <constraint>
            <allowed-values allow-other="yes">
               <!-- QUESTION: Should this be in sync with control part? Should these be defined here or should they be defined in the context of use? -->
               <enum value="asset">An assessment asset.</enum>
               <enum value="method">An assessment method.</enum>
               <enum value="objective">Describes a set of control objectives.</enum>
            </allowed-values>
         </constraint>
      </define-flag>
      <define-flag name="ns" as-type="uri" default="http://csrc.nist.gov/ns/oscal">
         <!-- CHANGED: data type to uri -->
         <formal-name>Part Namespace</formal-name>
         <description>A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.</description>
         <remarks>
            <p>This value must be an <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#absolute-uri">absolute URI</a> that serves as a <a href="https://pages.nist.gov/OSCAL/concepts/uri-use/#use-as-a-naming-system-identifier">naming system identifier</a>.</p>
            <p>When a <code>ns</code> is not provided, its value should be assumed to be <code>http://csrc.nist.gov/ns/oscal</code> and the name should be a name defined by the associated OSCAL model.</p>
         </remarks>
      </define-flag>
      <define-flag name="class" as-type="token">
         <formal-name>Part Class</formal-name>
         <description>A textual label that provides a sub-type or characterization of the part's <code>name</code>. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same <code>name</code> and <code>ns</code>.</description>
         <remarks>
            <p>A <code>class</code> can be used in validation rules to express extra constraints over named items of a specific <code>class</code> value.</p>
            <p>A <code>class</code> can also be used in an OSCAL profile as a means to target an alteration to control content.</p>
         </remarks>
      </define-flag>
      <model>
         <define-field name="title" min-occurs="0" max-occurs="1" as-type="markup-line" >
            <formal-name>Part Title</formal-name>
            <description>A name given to the part, which may be used by a tool for display and navigation.</description>
         </define-field>
         <assembly ref="property" max-occurs="unbounded">
            <group-as name="props" in-json="ARRAY"/>
         </assembly>
         <define-field name="prose" as-type="markup-multiline" in-xml="UNWRAPPED" min-occurs="0">
            <!-- QUESTION: Is this the right name? -->
            <formal-name>Part Text</formal-name>
            <description>Permits multiple paragraphs, lists, tables etc.</description>
         </define-field>
         <assembly ref="assessment-part" max-occurs="unbounded">
            <group-as name="parts" in-json="ARRAY"/>
         </assembly>
         <assembly ref="link" max-occurs="unbounded">
            <group-as name="links" in-json="ARRAY"/>
         </assembly>
         <!-- <any/> -->
      </model>
      <constraint>
         <allowed-values target=".[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
            <enum value="method">The assessment method to use. This typically appears on parts with the name "objective".</enum>
         </allowed-values>
         <has-cardinality target=".[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']" min-occurs="1"/>
         <allowed-values target=".[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']/@value">
            <enum value="INTERVIEW">The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.</enum>
            <enum value="EXAMINE">The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).</enum>
            <enum value="TEST">The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.</enum>
         </allowed-values>
      </constraint>
      <remarks>
         <p>A <code>part</code> provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A <code>part</code> can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A <code>part</code> can contain <code>prop</code> objects that allow for enriching prose text with structured name/value information.</p>
         <p>A <code>part</code> can be assigned an optional <code>id</code>, which allows for internal and external references to the textual concept contained within a <code>part</code>. A <code>id</code> provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a <code>catalog</code>. For example, an <code>id</code> can be used to reference or to make modifications to a control statement in a profile.</p>
         <p>Use of <code>part</code> and <code>prop</code> provides for a wide degree of extensibility within the OSCAL catalog model. The optional <code>ns</code> provides a means to qualify a part's <code>name</code>, allowing for organization-specific vocabularies to be defined with clear semantics. Any organization that extends OSCAL in this way should consistently assign a <code>ns</code> value that represents the organization, making a given namespace qualified <code>name</code> unique to that organization. This allows the combination of <code>ns</code> and <code>name</code> to always be unique and unambiguous, even when mixed with extensions from other organizations. Each organization is responsible for governance of their own extensions, and is strongly encouraged to publish their extensions as standards to their user community. If no <code>ns</code> is provided, the name is expected to be in the "OSCAL" namespace.</p>
         <p>To ensure a <code>ns</code> is unique to an organization and naming conflicts are avoided, a URI containing a DNS or other globally defined organization name should be used. For example, if FedRAMP and DoD both extend OSCAL, FedRAMP will use the <code>ns</code> <code>http://fedramp.gov/ns/oscal</code>, while DoD might use the <code>ns</code> <code>https://defense.gov</code> for any organization specific <code>name</code>.</p>
         <p>Tools that process OSCAL content are not required to interpret unrecognized OSCAL extensions; however, OSCAL compliant tools should not modify or remove unrecognized extensions, unless there is a compelling reason to do so, such as data sensitivity.</p>
      </remarks>
   </define-assembly>

</METASCHEMA>