Core Requirements

OSCAL requirements common to all content.

Character Encoding

UTF-8 Character Encoding

OSCAL uses UTF-8 character encoding. JSON and YAML files are always UTF-8 character encoded, but XML files must include an explicit UTF-8 encoding. Other encodings are not allowed and could create unpredictable results in OSCAL tools.

To ensure In OSCAL XML content is processed as UTF-8 encoding, explicitly specify it on the first line of any OSCAL XML file a follows:


<?xml version='1.0' encoding='UTF-8'?>

Required Root Information

Core OSCAL requires somne content to be present all OSCAL artifacts. This is crtical to consistent processing.

Root Element and Root-Level Universally Unique Identifier

The root element must be one of the case-sensitive OSCAL model names:

It must be immediately followed by root-level (document-level) UUID.

In JSON and YAML, the UUID is a child of the root element. In XML it is an attribute of the root element.

Additional XML Requirement

OSCAL XML artifacts must include an XML declaration above the root element, and XML namespace declaration as an attribute of the root element.

XML Example

<?xml version="1.0" encoding="UTF-8"?>
<system-security-plan 
     xmlns="http://csrc.nist.gov/ns/oscal/1.0" 
     uuid="11111111-2222-4000-8000-000000000000">
</catalog>

JSON Example

{
  "system-security-plan": {
    "uuid": "11111111-2222-4000-8000-000000000000"
    }
}

YAML Example

system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000

Required Metadata

All OSCAL artifacts must have the following content in metadata:

Example


system-security-plan:
  uuid: 11111111-2222-4000-8000-000000000000
  metadata:
    title: \[EXAMPLE\] FedRAMP \[Baseline Name\] System Security Plan (SSP)
    last-modified: '2025-01-08T04:18:29Z'
    version: fedramp-3.0.0rc1-oscal-1.1.2
    oscal-version: 1.1.3