OSCAL Assessment Plan field mapping

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of OSCAL Assessment Plan Field Mapping

The OSCAL Assessment Plan field mapping outlines how engagement and control test data from CAM (Continuous Assessment Management) is exported to the OSCAL Assessment Plan format. This mapping ensures that essential engagement-level and control test information is accurately represented in OSCAL for effective assessment management.

Show full answer Show less

Key Features

Engagement Metadata Mapping: Maps various engagement details such as unique identifiers, engagement name, state, and planned dates from CAM to OSCAL.
User and Role Mapping: Links ServiceNow users to their roles, detailing user types and names for responsible parties in the assessment.
Control Test Mapping: Represents control test information, including unique identifiers, test titles, and descriptions, ensuring clarity in testing activities.
Assessment Procedure Mapping: Details each assessment procedure step with unique identifiers and descriptions, clarifying what each step assesses.
Reviewed Controls Mapping: Identifies controls in scope for assessment engagements, linking control references and specific requirements to OSCAL.
SSP Reference Mapping: Connects the Assessment Plan to its parent System Security Plan, utilizing UUIDs for accurate linkage.
Custom Properties: Supports CAM-specific data not covered by OSCAL standards, such as budget information and engagement-specific fields.

Key Outcomes

By implementing this field mapping, ServiceNow customers can expect a seamless integration of CAM data into the OSCAL format, enhancing their ability to conduct assessments efficiently. This setup allows for clear documentation of engagement details, better tracking of control tests, and adherence to compliance requirements, ultimately leading to improved assessment outcomes.

CAM exports engagement and control test data to OSCAL Assessment Plan format using the following field mappings.

Engagement metadata mapping

The OSCAL Assessment Plan metadata section contains engagement-level information exported from the CAM engagement record.


OSCAL AP field	CAM field	Description
assessment_plan.uuid	sn_audit_engagement.sys_id	Unique identifier for the engagement
assessment_plan.metadata.title	sn_audit_engagement.name	Engagement name
assessment_plan.metadata.props [@name=state]	sn_audit_engagement.state.displayValue	Current engagement state (Open, Work in Progress, Closed, Complete)
assessment_plan.metadata.props [@name=fieldwork_complete_percentage]	sn_audit_engagement.task_percent_complete	Percentage of testing tasks completed
assessment_plan.metadata.props [@name=objective]	sn_audit_engagement.objectives	Testing objectives for this engagement
assessment_plan.metadata.props [@name=planned_end_date]	sn_audit_engagement.audit_period_end	Planned audit end date
assessment_plan.metadata.props [@name=planned_start_date]	sn_audit_engagement.audit_period_start	Planned audit start date
assessment_plan.metadata.props [@name=engagement_starts]	sn_audit_engagement.engagement_starts	When the engagement officially begins
assessment_plan.metadata.props [@name=engagement_ends]	sn_audit_engagement.engagement_ends	When the engagement officially ends
assessment_plan.metadata.props [@name=fieldwork_start_date]	sn_audit_engagement.start_date	When actual testing work begins
assessment_plan.metadata.props [@name=fieldwork_end_date]	sn_audit_engagement.end_date	When actual testing work ends
assessment_plan.metadata.props [@name=budget_cost]	sn_audit_engagement.budget_cost	Approved budget amount for the engagement
assessment_plan.metadata.props [@name=planned_cost]	sn_audit_engagement.cost	Planned cost for the engagement

User and role mapping

The OSCAL metadata.parties section contains user information, and metadata.roles defines available roles. Responsible parties link users to their roles.


OSCAL AP Field	CAM Field	Description
assessment_plan.metadata.parties.uuid	sys_user.sys_id	ServiceNow user unique identifier
assessment_plan.metadata.parties.type	person (default for individual users)	Party type: person for individual users, organization for groups
assessment_plan.metadata.parties.name	sys_user.first_name + ' ' + sys_user.last_name	User's full name

Exported roles include: engagement lead, approvers, auditors, and control test owner (mapped from control test assigned to field).

Control test mapping (activities)

The OSCAL local-definitions.activities section contains control test information. Each activity represents one control test in CAM.


OSCAL AP Field	CAM Field	Description
assessment_plan.local-definitions.activities.uuid	sn_audit_control_test.sys_id	Unique identifier for the control test
assessment_plan.local-definitions.activities.title	sn_audit_control_test.short_description	Brief title of the control test
assessment_plan.local-definitions.activities.description	sn_audit_control_test.description	Detailed description of what will be tested
assessment_plan.local-definitions.activities.props[@name=state]	sn_audit_control_test.state.getDisplayValue	Current test status (Not tested, In progress, Complete)
assessment_plan.local-definitions.activities.props[@name=operational-assessment-procedures]	sn_audit_control_test.operation_assessment_procedures	Operational assessment procedures for this control test
assessment_plan.local-definitions.activities.related-controls.control-selections.include-controls.control-id	sn_audit_control_test.control	Control being tested (foe example, AC-2, AU-3)
assessment_plan.local-definitions.activities.related-controls.control-objective-selections.include-objectives.objective-id	sn_audit_control_test.test_plan	Test plan associated with this control test

Assessment procedure mapping (steps)

The OSCAL activities.steps section contains assessment procedure information. Each step represents one assessment procedure in CAM.


OSCAL AP Field	CAM Field	Description
assessment_plan.local-definitions.activities.steps.uuid	sn_audit_asmnt_procedure_control_test.sys_id	Unique identifier for the assessment procedure
assessment_plan.local-definitions.activities.steps.description	sn_audit_asmnt_procedure_control_test.assessment_objective	What this test step assesses or verifies
assessment_plan.local-definitions.activities.steps.props[@name=label]	sn_audit_asmnt_procedure_control_test.identifier	Step identifier (for example, AC-2(a), AC-2(b))

Reviewed controls mapping

The OSCAL reviewed-controls section identifies which controls are in scope for the assessment engagement.


OSCAL AP Field	CAM Field	Description
assessment_plan.reviewed-controls.control-selections.include-controls.control-id	sn_audit_m2m_control_engagement.sn_compliance_control.reference	Control reference included in this engagement (e.g., AC-2, AU-3)
assessment_plan.reviewed-controls.control-selections.include-controls.statement-ids	sn_audit_m2m_control_engagement.sn_compliance_control.sn_compliance_m2m_control_control_requirement.control_requirement	Specific control requirements being tested (e.g., AC-2(a), AC-2(b))

SSP reference mapping

The OSCAL import-ssp section links the Assessment Plan to its parent System Security Plan.


OSCAL AP Field	CAM Field	Description
assessment_plan.import-ssp.href	Package UUID (links to parent authorization package)	UUID reference linking this assessment plan to the package it tests

The href uses the package UUID. If the package was imported, it uses the UUID from the external system. If the package was created in CAM, the system converts the sys_id to UUID format.

Custom properties

Custom properties contain CAM-specific data not natively supported by OSCAL standards. These properties use the ServiceNow namespace (identified by "ns:servicenow" in the JSON). Custom properties include engagement-specific fields such as fieldwork dates, budget information, and control test methods. Documentation of all custom properties is available on the ServiceNow product documentation site.