OSCAL custom properties
Custom properties with a unique namespace are used to include specific information, capture impact, and tailor OSCAL content for CAM import and export across all supported models.
Catalog
| Field | Description |
|---|---|
| impact | Captures control objective impact. |
| active | Indicates whether a control objective is active. |
| source | Source of the baseline control objective. |
| configuration | Applies a policy to baseline controls using configurations such as Addition, Subtraction, and Custom Action. |
| order | The order in which you applied the policy. |
| action | Combination of behavior and configuration. |
| behavior | Compares the control objective reference in the policy with those in the baseline controls. |
| auto_control_create | Indicates whether controls are automatically created. |
| create_control_requirements | Indicates whether control requirements are automatically created. |
| organizational_guidance | Captures organizational guidance associated with the catalog. |
System Security Plan (SSP)
General SSP properties
| Field | Description |
|---|---|
| impact-change-justification | Justification for changing the recommended impact level. |
| justification | Justification for making a baseline control not applicable. Present only when a baseline control is made not applicable. |
| source | Source of the baseline control objective. |
| behavior | Behavior applied when comparing policy control objectives with baseline controls. |
| action | Combination of behavior and configuration. |
| order | The order in which you applied the policy. |
| category | Category of information type. |
| sub_category | Subcategory of information type. |
| mission-critical | Indicates whether the system is mission-critical. |
| type | System type. |
| classification | System classification level. |
| version | System version. |
| skip-attestations | Indicates whether attestations are skipped. |
| active | Indicates whether the record is active. |
| business-process | Associated business process. |
| is_fully_inherited | Indicates whether the control is fully inherited. |
| implementation-status-type | Type of implementation status. |
| state-model | State model associated with the SSP. |
| workflow-version | Version of the associated workflow. |
| workflow-impact | Impact level associated with the workflow. |
| workflow-configuration | Configuration of the associated workflow. |
| package-step | Current step in the authorization package workflow. |
Privacy Impact Assessment (PIA) properties
| Field | Description |
|---|---|
| pii-in-identifiable-form | Indicates whether the system contains PII in identifiable form. |
| pii-information-about-public | Indicates whether the system contains PII about members of the public. |
| privacy-impact-assessment | Indicates whether a privacy impact assessment is required. |
| system-of-records-notice | Indicates whether a system of records notice applies. |
| privacy-sensitive-system | Indicates whether the system is privacy-sensitive. |
Metric properties
| Field | Description |
|---|---|
| percentage-of-controls-implemented | Percentage of controls implemented in the system. |
| number-of-change-requests | Number of change requests associated with the system. |
| number-of-incidents | Number of incidents associated with the system. |
| change-request-average-risk-score | Average risk score across change requests. |
| incident-average-impact | Average impact score across incidents. |
| number-of-vulnerable-items | Number of vulnerable items associated with the system. |
| vulnerable-item-average-risk-score | Average risk score across vulnerable items. |
| number-of-security-incidents | Number of security incidents associated with the system. |
| security-incident-average-risk-score | Average risk score across security incidents. |
Control Tailoring Request (CTR) properties
| Field | Description |
|---|---|
| uuid | Unique identifier of the Control Tailoring Request. |
| state | Current state of the CTR. |
| request_reason | Reason for submitting the CTR. |
| opened_by | User who opened the CTR. |
| assigned_to | User assigned to the CTR. |
| control_tailoring_request_uuid | UUID of the associated CTR. Present on baseline control overlays and work notes. |
| work_note | Work note associated with the CTR. |
| additional_comment | Additional comment associated with the CTR. |
Baseline control overlay properties
| Field | Description |
|---|---|
| requested_allocation | Requested control allocation in the CTR. |
| previous_allocation | Previous control allocation before the CTR. |
| policy_name | Name of the policy associated with the overlay. |
| inherited_from | Source from which the control is inherited. |
| requested_configuration | Requested configuration in the overlay. |
| previous_configuration | Previous configuration before the overlay. |
| control_objective_reference | Reference to the associated control objective. |
Approval workflow properties
| Field | Description |
|---|---|
| approver | User assigned as approver in the workflow. |
| comments | Comments submitted during the approval step. |
| approving | Indicates whether the record is in an approving state. |
| due_date | Due date for the approval step. |
| expected_start | Expected start date for the approval step. |
| iteration | Current iteration of the approval workflow. |
| step | Current step in the approval workflow. |
| source_table | Source table of the record being approved. |
| approval_for | Record or object for which approval is requested. |
Control and control requirement properties
| Field | Description |
|---|---|
| description | Description of the control or control requirement. |
| status | Status of the control or control requirement. |
| content | Content associated with the control. |
| owner | Owner of the control. |
| owning_group | Group that owns the control. |
| respondents | Respondents assigned to the control or control requirement. |
| implementation_statement | Implementation statement for the control. |
| frequency | Assessment frequency for the control. |
| weighting | Weighting assigned to the control. |
| sync_with_entity_owner | Indicates whether the control syncs with the entity owner. |
| supplemental_guidance | Supplemental guidance for the control. |
| attestation | Attestation associated with the control or control requirement. |
| discussion | Discussion notes for the control. |
| requirement_level_attestation | Attestation at the requirement level. |
| requirement_number | Requirement number of the control requirement. |
Assessment Plan (AP)
Activity properties
| Field | Description |
|---|---|
| interview | Interview-based assessment activity. |
| test | Test-based assessment activity. |
| examine | Examine-based assessment activity. |
| source | Source of the assessment activity. |
| state | State of the assessment activity. |
| operational-assessment-procedures | Operational assessment procedures associated with the activity. |
| test_plan_uuid | UUID of the associated test plan. |
| active | Indicates whether the activity is active. |
Assessment procedure properties
| Field | Description |
|---|---|
| assessment_objective | Assessment objective associated with the procedure. |
| identifier | Identifier of the assessment procedure. |
| uuid | UUID of the assessment procedure. |
| label | Label of the assessment step. |
Test plan properties
| Field | Description |
|---|---|
| entity | Entity associated with the test plan. |
| duration | Duration of the test plan. |
| operation_assessment_procedures | Operational assessment procedures in the test plan. |
| short_description | Short description of the test plan. |
| test_template | Test template used in the test plan. |
| test_template_source | Source of the test template. |
| planned_start_date | Planned start date of the test plan. |
| planned_end_date | Planned end date of the test plan. |
Engagement metadata properties
| Field | Description |
|---|---|
| fieldwork_complete_percentage | Percentage of fieldwork completed in the engagement. |
| objective | Objective of the engagement. |
| engagement_starts | Start date of the engagement. |
| engagement_ends | End date of the engagement. |
| budget_cost | Budgeted cost of the engagement. |
| planned_cost | Planned cost of the engagement. |
| planned_start_date | Planned start date of the engagement. |
| planned_end_date | Planned end date of the engagement. |
| fieldwork_start_date | Actual fieldwork start date. |
| fieldwork_end_date | Actual fieldwork end date. |
| engagement_actual_start | Actual start date of the engagement. |
| engagement_actual_end | Actual end date of the engagement. |
| schedule_start_date | Scheduled start date. |
| schedule_end_date | Scheduled end date. |
| work_start | Work start date. |
| work_end | Work end date. |
| description | Description of the engagement. |
| short_description | Short description of the engagement metadata. |
| state | State of the engagement. |
| active | Indicates whether the engagement is active. |
Assessment Results (AR)
Metadata properties
| Field | Description |
|---|---|
| source | Source of the assessment results. |
| actual_cost | Actual cost of the assessment. |
| report_template | Report template used for the assessment results. |
Control test properties
| Field | Description |
|---|---|
| operation_effectiveness | Operational effectiveness rating of the control test. |
| operation_expectations | Expected operational outcomes of the control test. |
| operation_results | Actual results of the control test. |
| actual_start_date | Actual start date of the control test. |
| actual_end_date | Actual end date of the control test. |
| planned_start_date | Planned start date of the control test. |
| planned_end_date | Planned end date of the control test. |
| operation_assessment_procedures | Operational assessment procedures for the control test. |
| entity | Entity associated with the control test. |
Assessment procedure properties
| Field | Description |
|---|---|
| notes | Notes associated with the assessment procedure. |
| label | Label of the assessment step. |
Plans of Action and Milestones (POA&M)
General POA&M properties
| Field | Description |
|---|---|
| source | Source of the POA&M item. |
| state | Current state of the POA&M item. |
| priority | Priority of the POA&M item. |
| response | Response associated with the POA&M item. |
| explanation | Explanation for the POA&M item. |
| issue_type | Type of issue recorded in the POA&M item. |
| classification | Classification of the POA&M item. |
| issue_rating | Risk rating of the issue. |
| issue_source | Source of the issue. |
| planned_start_date | Planned start date for remediation. |
| planned_end_date | Planned end date for remediation. |
| actual_start_date | Actual start date of remediation. |
| actual_end_date | Actual end date of remediation. |
User assignment properties
| Field | Description |
|---|---|
| assigned_to | User assigned to the POA&M item. |
| issue_manager | User managing the issue. |
| issue_manager_group | Group managing the issue. |
| watch_list | Users on the watch list for the POA&M item. |
Risk acceptance properties
| Field | Description |
|---|---|
| weakness_description | Description of the identified weakness. |
| business_effect | Business effect of the weakness. |
| business_justification | Business justification for risk acceptance. |
| request_justification | Justification for the risk acceptance request. |
| request_overview | Overview of the risk acceptance request. |
Milestone and acceptance task properties
| Field | Description |
|---|---|
| work_note | Work note associated with the milestone or acceptance task. |
| additional_comment | Additional comment on the milestone or acceptance task. |