Layer 2
ControlCatalog
ControlCatalog describes a set of related controls and relevant metadata
metadata Metadata Required
metadata provides detailed data about this catalog
title string Required
title describes the contents of this catalog at a glance
controls array[Control]
controls is a list of unique controls defined by this catalog
families array[Group]
families contains a list of control families that can be referenced by controls
imported-controls array[MultiEntryMapping]
imported-controls is a list of controls from another source which are included as part of this document
Control
Control describes a safeguard or countermeasure with a clear objective and assessment requirements
assessment-requirements array[AssessmentRequirement] Required
assessment-requirements is a list of requirements that must be verified to confirm the control objective has been met
family string Required
family references by id a catalog control family that this control belongs to
id string Required
id allows this entry to be referenced by other elements
objective string Required
objective is a unified statement of intent, which may encompass multiple situationally applicable requirements
state Lifecycle Required
state is the lifecycle state of this control
title string Required
title describes the purpose of this control at a glance
guideline-mappings array[MultiEntryMapping]
guideline-mappings documents relationships betwen this control and Layer 1 guideline artifacts
replaced-by EntryMapping
replaced-by references the control that supersedes this one when deprecated or retired
threat-mappings array[MultiEntryMapping]
threat-mappings documents relationships betwen this control and Layer 2 threat artifacts
AssessmentRequirement
AssessmentRequirement describes a tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator
applicability array[string] Required
applicability is a list of strings describing the situations where this text functions as a requirement for its parent control
id string Required
id allows this entry to be referenced by other elements
state Lifecycle Required
state is the lifecycle state of this assessment requirement
text string Required
text is the body of the requirement, typically written as a MUST condition
recommendation string
recommendation provides readers with non-binding suggestions to aid in evaluation or enforcement of the requirement
replaced-by EntryMapping
replaced-by references the assessment requirement that supersedes this one when deprecated or retired
ThreatCatalog
ThreatCatalog describes a set of topically-associated threats
metadata Metadata Required
metadata provides detailed data about this catalog
title string Required
title describes the purpose of this catalog at a glance
capabilities array[Capability]
capabilities is a list of capabilities that make up the system being assessed
imported-capabilities array[MultiEntryMapping]
imported-capabilities is a list of capabilities from another source which are included as part of this document
imported-threats array[MultiEntryMapping]
imported-threats is a list of threats from another source which are included as part of this document
threats array[Threat]
threats is a list of threats defined by this catalog
Threat
Threat describes a specifically-scoped opportunity for a negative impact to the organization
capabilities array[MultiEntryMapping] Required
capabilities documents the relationship between this threat and a system capability
description string Required
description provides a detailed explanation of an opportunity for negative impact
id string Required
id allows this entry to be referenced by other elements
title string Required
title describes this threat at a glance
actors array[Actor]
actors describes the relevant internal or external threat actors
external-mappings array[MultiEntryMapping]
external-mappings documents relationships between this threat and any other artifacts
Capability
Capability describes a system capability such as a feature, component or object.
description string Required
description provides a detailed overview of this capability
id string Required
id allows this entry to be referenced by other elements
title string Required
title describes this capability at a glance