Update Baselines to OSCAL 1.0.0 Final Release

.gitmodules

@@ -1,4 +1,4 @@
 [submodule "oscal"]
 	path = oscal
 	url = https://github.com/usnistgov/OSCAL.git
-	branch = master
+	branch = main

src/templates/poam/xml/FedRAMP-POAM-OSCAL-Template.xml

@@ -1,13 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- Modified by the OSCAL 1.0.0 RC1 to OSCAL 1.0.0 RC2 conversion XSLT on 2021-04-12T12:36:27.218704-04:00 -->
+<?xml-model href="https://raw.githubusercontent.com/usnistgov/OSCAL/release-1.0/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
+<!-- Modified by the OSCAL 1.0.0 RC2 to OSCAL 1.0.0 conversion XSLT on 2021-06-09T14:28:10.983-04:00 -->
 <plan-of-action-and-milestones xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-                               uuid="524b9109-64a2-4ffa-9ee1-09eade05dec7">
+                               uuid="c9db1389-df23-4118-b1a2-078d33734880">
    <metadata>
       <title>[System Name] FedRAMP Plan of Action and Milestones (POA&amp;M)</title>
       <published>2021-02-25T00:00:00.00-04:00</published>
-      <last-modified>2021-04-12T12:36:27.218704-04:00</last-modified>
+      <last-modified>2021-06-09T14:28:10.983-04:00</last-modified>
       <version>0.3</version>
-      <oscal-version>1.0.0-rc2</oscal-version>
+      <oscal-version>1.0.0</oscal-version>
       <prop name="marking" value="Controlled Unclassified Information"/>
       <!-- The following role definitions are required by FedRAMP -->
       <!-- Do not change the ID's or titles. -->
@@ -70,10 +71,9 @@
          <email-address>info@fedramp.gov</email-address>
          <address type="work">
             <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
             <city>Washington</city>
             <state>DC</state>
-            <postal-code/>
+            <postal-code>20006</postal-code>
             <country>US</country>
          </address>
          <remarks>
@@ -172,8 +172,8 @@
       <method>TEST</method>
       <type>finding</type>
       <origin>
-         <actor type="party" uuid-ref="f4568fda-c6d2-4640-adec-0012015af7d0"/>
-         <actor type="tool" uuid-ref="9d194268-a9d1-4c38-839f-9c4aa57bf71e"/>
+         <actor type="party" actor-uuid="f4568fda-c6d2-4640-adec-0012015af7d0"/>
+         <actor type="tool" actor-uuid="9d194268-a9d1-4c38-839f-9c4aa57bf71e"/>
       </origin>
       <relevant-evidence href="./raw_scans/scanner_output.csv">
          <description>
@@ -192,14 +192,14 @@
       <method>TEST</method>
       <type>finding</type>
       <origin>
-         <actor type="party" uuid-ref="f4568fda-c6d2-4640-adec-0012015af7d0"/>
-         <actor type="party" uuid-ref="e934d8b5-13e5-4f77-b55e-871e6f2df2fe"/>
-         <actor type="tool" uuid-ref="9d194268-a9d1-4c38-839f-9c4aa57bf71e"/>
+         <actor type="party" actor-uuid="f4568fda-c6d2-4640-adec-0012015af7d0"/>
+         <actor type="party" actor-uuid="e934d8b5-13e5-4f77-b55e-871e6f2df2fe"/>
+         <actor type="tool" actor-uuid="9d194268-a9d1-4c38-839f-9c4aa57bf71e"/>
       </origin>
-      <subject type="inventory-item" uuid-ref="f61f4408-2cb8-444a-a312-bc88412e7c61"/>
-      <subject type="inventory-item" uuid-ref="02075556-3660-4112-8982-02fc7d6fac00"/>
-      <subject type="inventory-item" uuid-ref="5efe2c07-9fdf-453a-8457-6471046082fb"/>
-      <subject type="component" uuid-ref="75b059f2-a9ba-40b1-a1e0-881196ca1ead"/>
+      <subject type="inventory-item" subject-uuid="f61f4408-2cb8-444a-a312-bc88412e7c61"/>
+      <subject type="inventory-item" subject-uuid="02075556-3660-4112-8982-02fc7d6fac00"/>
+      <subject type="inventory-item" subject-uuid="5efe2c07-9fdf-453a-8457-6471046082fb"/>
+      <subject type="component" subject-uuid="75b059f2-a9ba-40b1-a1e0-881196ca1ead"/>
       <relevant-evidence href="#171b44a2-9b52-4c46-b912-54bd274b2761">
          <description>
             <p>Raw scanner tool output - Infrastructure and OS Scan.</p>
@@ -214,7 +214,7 @@
       </description>
       <method>INTERVIEW</method>
       <type>vendor-dependency</type>
-      <subject uuid-ref="a49ed61e-fca1-4ffa-b5e7-c23a2375a7a0" type="component"/>
+      <subject type="component" subject-uuid="a49ed61e-fca1-4ffa-b5e7-c23a2375a7a0"/>
       <collected>2020-10-10T00:00:00Z</collected>
    </observation>
    <observation uuid="9de7cba9-40fc-4c4d-b6af-01bd24f1def6">
@@ -288,8 +288,8 @@
       <status>open</status>
       <characterization>
          <origin>
-            <actor type="party" uuid-ref="afe665d1-9021-4ad8-8bd2-c15b0f2dcf2d"/>
-            <actor type="tool" uuid-ref="9d194268-a9d1-4c38-839f-9c4aa57bf71e"/>
+            <actor type="party" actor-uuid="afe665d1-9021-4ad8-8bd2-c15b0f2dcf2d"/>
+            <actor type="tool" actor-uuid="9d194268-a9d1-4c38-839f-9c4aa57bf71e"/>
          </origin>
          <facet name="likelihood" system="https://fedramp.gov" value="high">
             <prop name="state" value="initial"/>
@@ -323,7 +323,7 @@
       <status>open</status>
       <characterization>
          <origin>
-            <actor type="tool" uuid-ref="9d194268-a9d1-4c38-839f-9c4aa57bf71e">
+            <actor type="tool" actor-uuid="9d194268-a9d1-4c38-839f-9c4aa57bf71e">
                <prop name="vulnerability-id" value="VulID-001"/>
                <prop name="plugin-id" value="Plugin-ID"/>
             </actor>
@@ -340,7 +340,7 @@
       <!-- TODO: Finish converting these. -->
       <characterization>
          <origin>
-            <actor type="party" uuid-ref="41E10E3B-32E1-4550-AE52-7F5D6B1BA532"/>
+            <actor type="party" actor-uuid="41E10E3B-32E1-4550-AE52-7F5D6B1BA532"/>
          </origin>
          <facet name="likelihood" value="high" system="https://fedramp.gov">
             <prop name="state" value="initial"/>
@@ -383,7 +383,7 @@
             <p>A description of the recommended remediation as provided by the tool.</p>
          </description>
          <origin>
-            <actor type="tool" uuid-ref="9d194268-a9d1-4c38-839f-9c4aa57bf71e"/>
+            <actor type="tool" actor-uuid="9d194268-a9d1-4c38-839f-9c4aa57bf71e"/>
          </origin>
          <remarks>
             <p>Recommended and planned remediation entries should remain when the risk is closed.</p>
@@ -395,7 +395,7 @@
             <p>A description of the recommended remediation as provided by the assessor in the SAR.</p>
          </description>
          <origin>
-            <actor type="party" uuid-ref="49f73135-efab-4275-9a79-003656ad890a"/>
+            <actor type="party" actor-uuid="49f73135-efab-4275-9a79-003656ad890a"/>
          </origin>
          <remarks>
             <p>If the identified risk is as a result of an assessment, the assessor's recommendation should also be copied into the POA&amp;M</p>
@@ -409,10 +409,10 @@
             <p>A description of the CSP's intended approach to remediating the identified risk.</p>
          </description>
          <origin>
-            <actor type="party" uuid-ref="49f73135-efab-4275-9a79-003656ad890a"/>
+            <actor type="party" actor-uuid="49f73135-efab-4275-9a79-003656ad890a"/>
          </origin>
          <required-asset uuid="7bd1a61e-4fda-4c52-a447-14072ef6e042">
-            <subject uuid-ref="6e0d71b5-3dac-4a9b-b60d-da61b95eccb9" type="party"/>
+            <subject type="party" subject-uuid="6e0d71b5-3dac-4a9b-b60d-da61b95eccb9"/>
             <description>
                <p>Describe required resources.</p>
             </description>

src/templates/sap/xml/FedRAMP-SAP-OSCAL-Template.xml

@@ -1,13 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- Modified by the OSCAL 1.0.0 RC1 to OSCAL 1.0.0 RC2 conversion XSLT on 2021-04-12T12:36:27.685737-04:00 -->
+<?xml-model href="https://raw.githubusercontent.com/usnistgov/OSCAL/release-1.0/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
+<!-- Modified by the OSCAL 1.0.0 RC2 to OSCAL 1.0.0 conversion XSLT on 2021-06-09T14:27:43.166-04:00 -->
 <assessment-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-                 uuid="35cd0f77-4c33-4942-9119-86c115d9f641">
+                 uuid="c94691c8-0b83-483c-bc02-f3d3bf026abb">
    <metadata>
       <title>[System Name] FedRAMP Security Assessment Plan (SAP)</title>
       <published>2021-02-25T00:00:00.00-04:00</published>
-      <last-modified>2021-04-12T12:36:27.685737-04:00</last-modified>
+      <last-modified>2021-06-09T14:27:43.166-04:00</last-modified>
       <version>0.3</version>
-      <oscal-version>1.0.0-rc2</oscal-version>
+      <oscal-version>1.0.0</oscal-version>
       <prop name="marking" value="Controlled Unclassified Information"/>
       <!-- The following role definitions are required by FedRAMP -->
       <!-- Do not change the ID's or titles. -->
@@ -140,10 +141,9 @@
          <email-address>info@fedramp.gov</email-address>
          <address type="work">
             <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
             <city>Washington</city>
             <state>DC</state>
-            <postal-code/>
+            <postal-code>20006</postal-code>
             <country>US</country>
          </address>
          <remarks>
@@ -392,7 +392,6 @@
          <description>
             <h1>Existing Role - Incorrect Associated Functions</h1>
          </description>
-         <prop name="updates-uuid" value=""/>
          <authorized-privilege>
             <title>Corrected Function List</title>
             <function-performed>Add/Remove Groups</function-performed>
@@ -427,7 +426,7 @@
          <part id="ac-2_sap_obj_1" name="objective">
             <title>SAP Inserted Objective</title>
             <prop name="label" value="AC-2[SAP][1]"/>
-            <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value=""/>
+            <prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="You must fill in this response point."/>
             <prop name="method" class="fedramp" value="EXAMINE"/>
             <prop name="method" class="fedramp" value="INTERVIEW"/>
             <prop name="method" class="fedramp" value="TEST"/>
@@ -758,7 +757,7 @@
          <p>A description of the included component.</p>
       </description>
       <include-all/>
-      <exclude-subject uuid-ref="0f9049ed-a01f-484a-b70d-b1894fd196b8"/>
+      <exclude-subject subject-uuid="0f9049ed-a01f-484a-b70d-b1894fd196b8" type="component"/>
       <remarks>
          <p>FedRAMP and NIST use the term "component" differently. The combination of <code>component</code> and <code>inventory-item</code> assembly in OSCAL, together are equivalent to a FedRAMP "component".</p>
          <p>This <code>assessment-subject</code> is citing OSCAL <code>component</code> assemblies in the SSP.</p>
@@ -773,7 +772,7 @@
          <p>A brief description of the included inventory.</p>
       </description>
       <include-all/>
-      <exclude-subject uuid-ref="9c04e165-4827-407d-9aa3-25a487de1c65"/>
+      <exclude-subject subject-uuid="9c04e165-4827-407d-9aa3-25a487de1c65" type="inventory-item"/>
       <remarks>
          <p>FedRAMP and NIST use the term "component" differently. The combination of <code>component</code> and <code>inventory-item</code> assembly in OSCAL, together are equivalent to a FedRAMP "component".</p>
          <p>This <code>assessment-subject</code> is citing OSCAL <code>inventory-item</code> assemblies in the SSP.</p>
@@ -787,7 +786,7 @@
          <h2>Selective Example</h2>
          <p>A brief description of the included inventory.</p>
       </description>
-      <include-subject uuid-ref="9c04e165-4827-407d-9aa3-25a487de1c65"/>
+      <include-subject subject-uuid="9c04e165-4827-407d-9aa3-25a487de1c65" type="inventory-item"/>
       <remarks>
          <p>FedRAMP and NIST use the term "component" differently. The combination of <code>component</code> and <code>inventory-item</code> assembly in OSCAL, together are equivalent to a FedRAMP "component".</p>
          <p>This <code>assessment-subject</code> is citing OSCAL <code>inventory-item</code> assemblies in the SSP.</p>
@@ -800,12 +799,12 @@
          <h1>System Location(s) in Assessment Scope</h1>
          <p>An overall description of the included location.</p>
       </description>
-      <include-subject uuid-ref="16adcc8d-65d8-4583-80d3-9cf007744fec">
+      <include-subject subject-uuid="16adcc8d-65d8-4583-80d3-9cf007744fec" type="location">
          <remarks>
             <p>Briefly describe the components at this location.</p>
          </remarks>
       </include-subject>
-      <include-subject uuid-ref="ad321514-7b9f-4374-8409-efb18eea6e5d">
+      <include-subject subject-uuid="ad321514-7b9f-4374-8409-efb18eea6e5d" type="location">
          <remarks>
             <p>Briefly describe the components at this location.</p>
          </remarks>
@@ -823,7 +822,7 @@
          <p>Briefly description the included users here.</p>
       </description>
       <include-all/>
-      <exclude-subject uuid-ref="ce1a3dbc-2bf5-4899-9fcf-090e299533bb"/>
+      <exclude-subject subject-uuid="ce1a3dbc-2bf5-4899-9fcf-090e299533bb" type="user"/>
       <remarks>
          <p>This refers to user assemblies identified in the system-implementation section of the SSP and the local-definitions of the SAP. </p>
          <p>Using include-all means all user roles defined both in the SSP and in the local-definitions of the SAP are included in the assessment.</p>
@@ -839,7 +838,7 @@
          <h2>Selective Example</h2>
          <p>Briefly description the included users here.</p>
       </description>
-      <include-subject uuid-ref="ce1a3dbc-2bf5-4899-9fcf-090e299533bb"/>
+      <include-subject subject-uuid="ce1a3dbc-2bf5-4899-9fcf-090e299533bb" type="user"/>
       <remarks>
          <p>This refers to user assemblies identified in the system-implementation section of the SSP and the local-definitions of the SAP. </p>
          <p>This <code>assessment-subject</code> is citing OSCAL <code>user</code> assemblies in the SSP.</p>
@@ -1052,14 +1051,15 @@
                name="login-url"
                value="https://service.offering.com/login"/>
          <prop ns="http://fedramp.gov/ns/oscal" name="login-id" value="test-user"/>
-         <associated-activity activity-uuid="315b3118-3d2e-420b-b4fb-5acf13b08381"/>
-         <subject type="inventory-item">
-            <include-subject uuid-ref="779d4e89-bba6-432c-b50d-d699fe534129">
-               <remarks>
-                  <p>References an inventory item, which is linked to a component. The component has a <code>scan-type</code> FedRAMP Extension with a value of "web"</p>
-               </remarks>
-            </include-subject>
-         </subject>
+         <associated-activity activity-uuid="315b3118-3d2e-420b-b4fb-5acf13b08381">
+            <subject type="inventory-item">
+               <include-subject subject-uuid="779d4e89-bba6-432c-b50d-d699fe534129" type="inventory-item">
+                  <remarks>
+                     <p>References an inventory item, which is linked to a component. The component has a <code>scan-type</code> FedRAMP Extension with a value of "web"</p>
+                  </remarks>
+               </include-subject>
+            </subject>
+         </associated-activity>
       </task>
       <task uuid="FC869008-9CD5-4499-82C8-6BC532A86142" type="action">
          <title>Web Application Test #2</title>
@@ -1070,13 +1070,14 @@
                name="login-url"
                value="https://admin-portal.offering.com/login"/>
          <prop ns="http://fedramp.gov/ns/oscal" name="login-id" value="test-admin"/>
-         <associated-activity activity-uuid="64142a6f-d8d4-47c6-8bb1-a0e33f17664d"/>
-         <subject type="inventory-item">
-            <include-subject uuid-ref="779d4e89-bba6-432c-b50d-d699fe534129"/>
-            <remarks>
-               <p>References an inventory item, which is linked to a component. The component has a <code>scan-type</code> FedRAMP Extension with a value of "web"</p>
-            </remarks>
-         </subject>
+         <associated-activity activity-uuid="64142a6f-d8d4-47c6-8bb1-a0e33f17664d">
+            <subject type="inventory-item">
+               <include-subject subject-uuid="779d4e89-bba6-432c-b50d-d699fe534129" type="inventory-item"/>
+               <remarks>
+                  <p>References an inventory item, which is linked to a component. The component has a <code>scan-type</code> FedRAMP Extension with a value of "web"</p>
+               </remarks>
+            </subject>
+          </associated-activity>
       </task>
    </task>
    <task uuid="EDDBCFA9-D296-4818-ADCC-3D5465ED3FDD" type="action">
@@ -1090,7 +1091,14 @@
          <prop ns="http://fedramp.gov/ns/oscal"
                name="user-uuid"
                value="9cb0fab0-78bd-44ba-bcb8-3e9801cc952f"/>
-         <associated-activity activity-uuid="dc858ece-b430-485d-886c-3a812bb77b13"/>
+         <associated-activity activity-uuid="dc858ece-b430-485d-886c-3a812bb77b13">
+            <subject type="inventory-item">
+               <include-subject subject-uuid="779d4e89-bba6-432c-b50d-d699fe534129" type="inventory-item"/>
+               <remarks>
+                  <p>References an inventory item, which is linked to a component. The component has a <code>scan-type</code> FedRAMP Extension with a value of "web"</p>
+               </remarks>
+            </subject>
+         </associated-activity>
       </task>
       <task uuid="74830d19-2820-4487-bd1d-91d8656b7eb0" type="action">
          <title>Role Based Test #2</title>
@@ -1101,7 +1109,14 @@
          <prop ns="http://fedramp.gov/ns/oscal"
                name="user-uuid"
                value="sys-role-2"/>
-         <associated-activity activity-uuid="64142a6f-d8d4-47c6-8bb1-a0e33f17664d"/>
+         <associated-activity activity-uuid="64142a6f-d8d4-47c6-8bb1-a0e33f17664d">
+            <subject type="inventory-item">
+               <include-subject subject-uuid="779d4e89-bba6-432c-b50d-d699fe534129" type="inventory-item"/>
+               <remarks>
+                  <p>References an inventory item, which is linked to a component. The component has a <code>scan-type</code> FedRAMP Extension with a value of "web"</p>
+               </remarks>
+            </subject>
+         </associated-activity>
       </task>
    </task>
    <back-matter>