### Example URI Components Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/uri-use.md Illustrates the component parts of two example URIs: one with an authority and one using the 'urn' scheme. ```text foo://example.com:8042/over/there?name=ferret#nose \_/ \______________/\_________/ \_________/ \__/ | | | | | scheme authority path query fragment | _____________________|__ / \ / \ urn:example:animal:ferret:nose ``` -------------------------------- ### Complete OSCAL Metadata Example Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/general/metadata.md An example of a complete OSCAL metadata section including title, dates, version, and OSCAL version. This demonstrates how all required and recommended fields are structured. ```xml Example OSCAL Document 2021-01-01T00:00:00-5:00 2021-01-05T00:00:00-5:00 1.0.0 1.0.4 ``` ```json { "catalog": { "uuid": "c3da6d1d-c20c-4c7c-ae73-4010167a186b" "metadata": { "title": "Example OSCAL Catalog", "published": "2021-01-01T00:00:00-5:00", "last-modified": "2021-01-05T00:00:00-5:00", "version": "1.0.0", "oscal-version": "1.0.4" } } } ``` ```yaml --- catalog: uuid: c3da6d1d-c20c-4c7c-ae73-4010167a186b metadata: title: Example OSCAL Catalog published: 2021-01-01T00:00:00-5:00 last-modified: 2021-01-05T00:00:00-5:00 version: 1.0.0 oscal-version: 1.0.4 ``` -------------------------------- ### Circular Import Example: home_profile.yaml Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/processing/profile-resolution.html This profile imports 'circular_profile.yaml'. This setup, when combined with the reciprocal import in 'circular_profile.yaml', creates a circular dependency. ```yaml profile: id: "home_profile.yaml" metadata: ~ imports: - href: "circular_profile.yaml" include-controls: ${{ list of selected controls }} ``` -------------------------------- ### Run Local Website with Docker Compose Source: https://github.com/usnistgov/oscal-pages/blob/main/README.md Use this command to start the OSCAL website locally using Docker Compose. Press CTRL+C to stop the server. ```sh docker-compose up ``` -------------------------------- ### Representing Product and Validation Components in YAML Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/implementation/validation-modeling.md This YAML example illustrates two components, one for a product and another for its validation, linked together. The product component references the validation component. ```yaml components: - uuid: 11111111-0000-4000-a000-000000000001: type: hardware title: Product Name description: Describe the product's function. links: - rel: validation href: #22222222-0000-4000-a000-000000000002 status: state: operational - uuid: 22222222-0000-4000-a000-000000000002: component-type: validation title: Validation Name description: Describe the validation. props: - name: validation-type value: fips-140-2 - name: validation-reference value: xxxx links: - rel: validation-details href: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/xxxx status: state: operational ``` -------------------------------- ### OSCAL Control Parameters Example (XML) Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/layer/control/catalog/sp800-53rev5-example.md Demonstrates the structure of OSCAL parameters within a control, including properties, labels, and selection options. Use this to understand how parameters are defined for control configuration. ```xml

personnel or roles to whom the access control policy is to be disseminated is/are defined;

personnel or roles to whom the access control procedures are to be disseminated is/are defined;

[... params ac-01_odp.04 through ac-01_odp.08 ...] ``` -------------------------------- ### OSCAL Metadata Example Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/general/metadata.md Provides a complete example of an OSCAL metadata section, showcasing various fields like title, published/modified dates, version, document ID, properties, links, parties, and responsible parties. Use this as a template for your own OSCAL documents. ```xml Example OSCAL Document 2021-01-01T00:00:00-5:00 2021-01-05T00:00:00-5:00 1.0.0 1.0.4 10.1000/182 Example Company 15d2e37c-0452-4695-9c6a-ddc1ff15397b ``` ```json { "catalog": { "uuid": "c3da6d1d-c20c-4c7c-ae73-4010167a186b", "metadata": { "title": "Example OSCAL Catalog", "published": "2021-01-01T00:00:00-5:00", "last-modified": "2021-01-05T00:00:00-5:00", "version": "1.0.0", "oscal-version":"1.0.4", "document-ids": [ { "scheme": "http://www.doi.org/", "value": "10.1000/182" } ], "props": [ { "name": "marking", "value": "red", "class": "http://www.first.org/tlp" } ], "links": [ { "rel": "latest-version", "href": "https://www.example.com/catalog/example-oscal-catalog/latest" } ], "parties": [ { "uuid": "15d2e37c-0452-4695-9c6a-ddc1ff15397b", "type": "organization", "name": "Example Company" } ], "responsible-parties":[ { "role-id": "prepared-by", "party-uuid": "15d2e37c-0452-4695-9c6a-ddc1ff15397b" } ] } } } ``` ```yaml --- catalog: uuid: c3da6d1d-c20c-4c7c-ae73-4010167a186b metadata: title: Example OSCAL Catalog published: 2021-01-01T00:00:00-5:00 last-modified: 2021-01-05T00:00:00-5:00 version: 1.0.0 oscal-version: 1.0.4 document-ids: - scheme: http://www.doi.org/ value: 10.1000/182 props: - name: marking value: red class: http://www.first.org/tlp links: - rel: latest-version href: https://www.example.com/catalog/example-oscal-catalog/latest parties: - uuid: 15d2e37c-0452-4695-9c6a-ddc1ff15397b type: organization name: Example Company responsible-parties: - role-id: prepared-by party-uuid: 15d2e37c-0452-4695-9c6a-ddc1ff15397b ``` -------------------------------- ### OSCAL Catalog Structure Example Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/control/basic-catalog.md This JSON snippet shows the basic structure of an OSCAL catalog, including metadata and groups of controls. ```json { "catalog" : { "uuid" : "956c32af-8a15-4732-a4d9-f976a1149c4b", "metadata" : { "title" : "Sample Security Catalog", "published" : "2020-02-02T11:01:04.736-04:00", "last-modified" : "2020-02-10T11:01:04.736-04:00", "version" : "1.0", "oscal-version" : "1.0.0" }, "groups" : [ { "id" : "s1", "title" : "Organization of Information Security", "props" : [ { "name" : "label", "value" : "1" } ], "groups" : [ { "id" : "s1.1", "title" : "Internal Organization", "props" : [ { "name" : "label", "value" : "1.1" } ], "parts" : [ { "id" : "s1.1_smt", "name" : "objective", "prose" : "To establish a management framework to initiate and control the implementation and\noperation of information security within the organization." } ], "controls" : [ { "id" : "s1.1.1", "title" : "Information security roles and responsibilities", "props" : [ { "name" : "label", "value" : "1.1.1" } ], "parts" : [ { "id" : "s1.1.1_stm", "name" : "statement", "prose" : "All information security responsibilities should be defined and allocated." }, { "id" : "s1.1.1_gdn", "name" : "guidance", "parts" : [ { "id" : "s1.1.1_gdn.1", "name" : "item", ``` -------------------------------- ### Dynamic Value Expression Example Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/processing/profile-resolution.html Illustrates the use of `${{ }}` for dynamic values, such as timestamps, during processing. ```yaml last-modified: ${{ timestamp }} ``` -------------------------------- ### OSCAL Control Mapping Example Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/layer/control/mapping/_index.md Demonstrates the structure of an OSCAL control mapping collection, including metadata, provenance, and specific map relationships like subset-of and superset-of between source and target controls. ```xml ... Syntactic mapping example subset-of superset-of <> ``` -------------------------------- ### Circular Import Example: circular_profile.yaml Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/processing/profile-resolution.html This profile imports 'home_profile.yaml'. This reciprocal import, when paired with the import in 'home_profile.yaml', forms a circular import scenario. ```yaml profile: id: "circular_profile.yaml" metadata: ~ imports: - href: "home_profile.yaml" include-controls: ${{ list of selected controls }} ``` -------------------------------- ### XML Control Part Example Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/layer/control/catalog/sp800-53rev5-example.md This XML snippet demonstrates a 'guidance' part within a control. The 'name' attribute 'guidance' may differ from the displayed title 'Discussion' for backward compatibility. Processors can adjust display as needed. ```xml

Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

``` -------------------------------- ### Profile with 'keep' Combine Method Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/processing/profile-resolution.html This example explicitly defines the 'keep' method for handling duplicate control IDs during the merge phase, which is the default behavior when no 'combine' directive is present. ```yaml profile: imports: - href: "#catalogURI" include-all: ~ merge: combine: method: keep flat: ~ ``` -------------------------------- ### Implicit Binding: Add Prop to Control (Starting) Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/processing/profile-resolution.html Adds a new property to a control when 'position' is 'starting'. The new property is inserted after the title but before existing properties due to sorting rules. ```xml control: id: a1 title: Basic precautions props: - name: status value: ready ``` ```xml alter: control-id: a1 add: position: starting props: - name: basis value: enumerated parts: - name: caution prose: "\n\nPending scheduled testing." ``` ```xml control: id: a1 title: Basic precautions props: - name: basis value: enumerated - name: status value: ready parts: - name: caution prose: "\n\nPending scheduled testing." ``` -------------------------------- ### Include Controls by Pattern Matching (JSON) Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/control/basic-profile.md This JSON structure shows how to import controls using a pattern. The 'href' points to the catalog, and 'include-controls' with a 'matching' pattern filters the controls. ```json "imports": [ { "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/examples/catalog/json/basic-catalog.json", "include-controls": [ { "matching": [ { "pattern": "s1.1.*" } ] }, ``` -------------------------------- ### Add GLC Custom Property to OSCAL YAML Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/general/extension.md This example illustrates adding a Geographic Locator Code (GLC) property to an OSCAL System Security Plan (SSP) in YAML format. It follows the same pattern as the XML and JSON examples, using a custom namespace and the `class` key for context. ```yaml system-security-plan: uuid: ce16b9af-6853-4abe-9e27-b79d034c0adc metadata: title: OSCAL Basic Prop Example last-modified: '2022-01-01T09:30:00-005' version: 20220531 oscal-version: 1.0.0 locations: - title: ... ``` -------------------------------- ### Include Controls by Pattern Matching (YAML) Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/control/basic-profile.md This YAML configuration imports controls from a catalog using a pattern. The 'href' specifies the catalog source, and 'include-controls' with a 'matching' pattern selects the controls. ```yaml imports: - href: https://raw.githubusercontent.com/usnistgov/oscal-content/main/examples/catalog/json/basic-catalog.json include-controls: - matching: - pattern: s1.1.* ``` -------------------------------- ### Source Control Snippet (XML) Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/layer/control/mapping/_index.md Example of a control snippet from a source OSCAL catalog. ```xml Sample source control

Implement TLS. ``` -------------------------------- ### Target Control Snippet (XML) Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/layer/control/mapping/_index.md Example of a control snippet from a target OSCAL catalog, to be mapped. ```xml Sample target control

Implement TLS version 1.2 or above. ``` -------------------------------- ### External Import References Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/processing/profile-resolution.html Illustrates how to reference external resources for import using absolute or relative URLs in the href attribute. ```xml profile: uuid: ~ metadata: ~ imports: - href: >- https://github.com/usnistgov/oscal-content/tree /master/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml include-controls: ${{ list of selected controls }} - href: "../../NIST_SP-800-53_rev5_catalog.yaml" include-controls: ${{ list of selected controls }} ``` -------------------------------- ### Circular Import Error Message Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/processing/profile-resolution.html An example of an error message generated by a tool when a circular import is detected during profile processing. ```text # Import at href: "circular_profile.yaml" failed. # Reason: Error during profile import: # Import at href: "home_profile.yaml" failed. # Reason: Circular import ``` -------------------------------- ### Define MongoDB Protocols in JSON Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/implementation/simple-component-definition.md This JSON snippet represents the same MongoDB service component and its associated network protocols as shown in the XML example. ```json { "component-definition": { "components": [{ "uuid": "91f646c5-b1b6-4786-9ec3-2305a044e217", "type": "service", "title": "MongoDB", "protocols": [{ "uuid": "2b4a1b3a-cbc5-4cc8-bde6-7437c28c4e54", "name": "mongodb", "title": "Primary daemon process for the MongoDB system.", "port-ranges": [{ "start": 27017, "end": 27017, "transport": "TCP" }] }, { "uuid": "99d8d4e5-e734-4e05-a2f9-7353097b8b61", "name": "mongodb-shardsrv", "title": "MongoDB protocol for sharding with shardsrv option.", "port-ranges": [{ "start": 27018, "end": 27018, "transport": "TCP" }] }, { "uuid": "6fa762f1-09ca-44d5-a94c-cfceb57debd5", "name": "mongodb-configsvr", "title": "MongoDB protocol for configsrv operation.", "port-ranges": [{ "start": 27019, "end": 27019, "transport": "TCP" }] }] }] } } ``` -------------------------------- ### Include Controls by Pattern Matching (XML) Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/control/basic-profile.md Use this XML snippet to import controls from a catalog based on a pattern. The 'matching' element with a 'pattern' attribute specifies which controls to include. ```xml ``` -------------------------------- ### Include Specific Controls by ID Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/processing/profile-resolution.html Demonstrates the 'include-controls' directive with 'with-ids' to specify individual controls to be included from a referenced catalog. ```yaml include-controls: - with-ids: - id: ac-1 - id: ac-2 ``` -------------------------------- ### Include All Controls Directive Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/processing/profile-resolution.html Illustrates the 'include-all' directive, which instructs the processor to include all controls and groups from a referenced document. ```yaml include-all: ~ ``` -------------------------------- ### YAML Component Definition Example Source: https://context7.com/usnistgov/oscal-pages/llms.txt An abbreviated YAML representation of a MongoDB component definition, including metadata, responsible roles, protocols, and control implementations. ```yaml component-definition: uuid: a7ba800c-a432-44cd-9075-0862cd66da6b metadata: title: MongoDB Component Definition Example last-modified: '2001-12-17T09:30:47Z' version: 20210507 oscal-version: 1.0.0 roles: - id: provider title: Provider parties: - uuid: ef7c799a-c50e-49ab-83e0-515e989e6df1 type: organization name: MongoDB links: - href: https://www.mongodb.com rel: website components: - uuid: 91f646c5-b1b6-4786-9ec3-2305a044e217 type: software title: MongoDB description: >- MongoDB is a source-available, cross-platform document-oriented database program. purpose: Provides a NoSQL database service responsible-roles: - role-id: provider party-uuid: ef7c799a-c50e-49ab-83e0-515e989e6df1 protocols: - uuid: 2b4a1b3a-cbc5-4cc8-bde6-7437c28c4e54 name: mongodb title: Primary daemon process for the MongoDB system. port-ranges: - start: 27017 end: 27017 transport: TCP control-implementations: - uuid: 49f0b690-ed9f-4f32-aae0-625b77aa6d27 source: https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile.json description: MongoDB control implementations for NIST SP 800-53 rev5. implemented-requirements: - uuid: cf8338c5-fb6e-4593-a4a8-b3c4946ee2a0 control-id: sc-8.1 description: >- MongoDB supports TLS 1.x to encrypt data in transit. To implement TLS, set the PEMKeyFile option in /etc/mongod.conf to the certificate file's path. ``` -------------------------------- ### Clone OSCAL-Pages Repository Source: https://github.com/usnistgov/oscal-pages/blob/main/README.md Use this Git command to clone the OSCAL-Pages repository to your local machine. No special setup is required to begin editing content. ```sh git clone https://github.com/usnistgov/OSCAL-Pages.git ``` -------------------------------- ### Import Controls from Catalog (YAML) Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/control/basic-profile.md YAML uses a similar structure to JSON for imports, with 'imports' as a list of objects specifying catalog 'href' and 'include-controls' using 'matching' or 'with-ids'. ```yaml imports: - href: https://raw.githubusercontent.com/usnistgov/oscal-content/main/examples/catalog/json/basic-catalog.json include-controls: - matching: - pattern: s1.1.* - with-ids: - s2.1.1 ``` -------------------------------- ### Resolved Profile Output (YAML) Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/control/basic-profile.md The output of the `oscal-cli profile resolve` command is a YAML-formatted catalog. This example shows a sample catalog with controls, parameters, and guidance. ```yaml --- catalog: uuid: b1296da4-4ada-40f1-bbeb-20e3429bef41 metadata: title: Sample Security Profile *for Demonstration* and Testing last-modified: 2023-05-13T22:08:16.76575041Z version: "1.0" oscal-version: 1.0.4 controls: - id: s1.1.1 title: Information security roles and responsibilities params: - id: s1.1.1-prm1 label: a choice from a selection select: how-many: one-or-more choice: - "initiating a device lock after {{ insert: param, s1.1.1-prm_2 }} of inactivity" - requiring the user to initiate a device lock before leaving the system unattended - id: s1.1.1-prm_2 label: a duration (maximum 30 minutes) props: - name: label value: 1.1.1 parts: - id: s1.1.1_stm name: statement prose: |- All information security responsibilities should be defined and allocated. A value has been assigned to {{ insert: param, s1.1.1-prm1 }}. A cross link has been established with a choppy syntax: [(choppy)](#s1.2). - id: s1.1.1_gdn name: guidance parts: - id: s1.1.1_gdn.1 name: item prose: "Allocation of information security responsibilities should be done in accordance with the information security policies. Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined." - id: s1.1.1_gdn.2 name: item prose: Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed. - id: s1.1.1_gdn.3 name: item prose: |- Areas for which individuals are responsible should be stated. In particular the following should take place: 1. the assets and information security processes should be identified and defined; 2. the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented; 3. authorization levels should be defined and documented; 4. to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments; 5. coordination and oversight of information security aspects of supplier relationships should be identified and documented. - id: s1.1.1_gdn.4 name: item prose: "Users of devices running Gnome can adjust the inactivity timeout using the following link: https://help.gnome.org/admin/system-admin-guide/stable/desktop-lockscreen.html.en" - id: s1.1.1_inf name: information props: - name: label value: Other information prose: |- Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls. However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection. - id: s1.1.2 title: Segregation of duties props: - name: label value: 1.1.2 parts: - id: s1.1.2_stm name: statement prose: Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. - id: s1.1.2_gdn name: guidance parts: - id: s1.1.2_gdn.1 name: item prose: "Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls." - id: s1.1.2_gdn.2 name: item ``` -------------------------------- ### Include Guidance in OSCAL Control (XML) Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/tutorials/control/basic-catalog.md This XML snippet shows how to add 'guidance' and 'information' parts to an OSCAL control, providing detailed implementation notes and supplemental context. ```xml Information security roles and responsibilities 1.1.1

All information security responsibilities should be defined and allocated.

Allocation of information security responsibilities should be done in accordance with the information security policies. Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined.

Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed.

Areas for which individuals are responsible should be stated. In particular the following should take place:

  1. the assets and information security processes should be identified and defined;
  2. the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented;
  3. authorization levels should be defined and documented;
  4. to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments;
  5. coordination and oversight of information security aspects of supplier relationships should be identified and documented.

Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls.

However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection.

``` -------------------------------- ### OSCAL Catalog with Groups and Controls (JSON) Source: https://context7.com/usnistgov/oscal-pages/llms.txt This JSON snippet represents the equivalent structure of an OSCAL catalog with nested groups and controls, mirroring the XML example. ```json { "catalog": { "uuid": "956c32af-8a15-4732-a4d9-f976a1149c4b", "metadata": { "title": "Sample Security Catalog", "last-modified": "2020-02-10T11:01:04.736-04:00", "version": "1.0", "oscal-version": "1.0.0" }, "groups": [{ "id": "s1", "class": "section", "title": "Organization of Information Security", "props": [{ "name": "label", "value": "1" }], "groups": [{ "id": "s1.1", "title": "Internal Organization", "props": [{ "name": "label", "value": "1.1" }], "parts": [{ "id": "s1.1_smt", "name": "objective", "prose": "To establish a management framework to initiate and control the implementation." }], "controls": [{ "id": "s1.1.1", "title": "Information security roles and responsibilities", "props": [{ "name": "label", "value": "1.1.1" }], "parts": [ { "id": "s1.1.1_stm", "name": "statement", "prose": "All information security responsibilities should be defined and allocated." }, { "id": "s1.1.1_gdn", "name": "guidance", "parts": [{ "id": "s1.1.1_gdn.1", "name": "item", "prose": "Allocation of responsibilities should be done in accordance with policies." }] }, { "id": "s1.1.1_inf", "name": "information", "prose": "Many organizations appoint an information security manager." } ] }] }] }] } } ``` -------------------------------- ### Internal Import References Source: https://github.com/usnistgov/oscal-pages/blob/main/src/content/learn/concepts/processing/profile-resolution.html Shows how to reference internal resources for import using fragment identifiers in the href attribute. ```xml profile: uuid: ~ metadata: ~ imports: - href: #80052rev4 include-controls: ${{ list of selected controls }} - href: #80052rev5 include-controls: ${{ list of selected controls }} ```