ControlCatalog

Experimental

ControlCatalog describes a set of related controls and relevant metadata

metadata object Required

controls array[Control]

controls is a list of unique controls defined by this catalog

Control

Experimental

Control describes a safeguard or countermeasure with a clear objective and assessment requirements

assessment-requirements array[AssessmentRequirement] Required

assessment-requirements is a list of requirements that must be verified to confirm the control objective has been met

group string Required

group references by id a catalog group that this control belongs to

id string Required

id allows this entry to be referenced by other elements

objective string Required

objective is a unified statement of intent, which may encompass multiple situationally applicable requirements

state Lifecycle Required

state is the lifecycle state of this control

title string Required

title describes the purpose of this control at a glance

guidelines array[MultiEntryMapping]

guidelines documents relationships between this control and Layer 1 guideline artifacts

replaced-by EntryMapping

replaced-by references the control that supersedes this one when deprecated or retired

threats array[MultiEntryMapping]

threats documents relationships between this control and Layer 2 threat artifacts

AssessmentRequirement

Experimental

AssessmentRequirement describes a tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator

applicability array[string] Required

applicability is a list of strings describing the situations where this text functions as a requirement for its parent control

id string Required

id allows this entry to be referenced by other elements

state Lifecycle Required

state is the lifecycle state of this assessment requirement

text string Required

text is the body of the requirement, typically written as a MUST condition

recommendation string

recommendation provides readers with non-binding suggestions to aid in evaluation or enforcement of the requirement

replaced-by EntryMapping

replaced-by references the assessment requirement that supersedes this one when deprecated or retired