Knowledge about OSCAL assessment plans and assessment results models in Compliance Trestle. Use when users ask about assessment plans, assessment results, security assessments, SAP, SAR, assessment activities, findings, observations, or assessment-related OSCAL models.
From compliance-trestlenpx claudepluginhub ethanolivertroy/compliance-trestle-skillsThis skill is limited to using the following tools:
examples.mdApplies Modern Perl 5.36+ idioms like v5.36 pragma, subroutine signatures, postfix dereferencing when writing, reviewing, refactoring, or designing Perl code.
OSCAL defines two assessment-related models:
Defines what will be assessed, how, when, and by whom. Corresponds to a Security Assessment Plan in FedRAMP/NIST terminology.
{
"assessment-plan": {
"uuid": "...",
"metadata": { "title": "...", "version": "..." },
"import-ssp": { "href": "#..." },
"local-definitions": {
"activities": [],
"objectives-and-methods": []
},
"reviewed-controls": {
"control-selections": [
{ "include-controls": [{ "control-id": "ac-1" }] }
]
},
"assessment-subjects": [],
"assessment-assets": {
"assessment-platforms": []
},
"tasks": []
}
}
| Field | Purpose |
|---|---|
import-ssp | References the SSP being assessed |
reviewed-controls | Controls in scope for this assessment |
assessment-subjects | Systems, components, or inventories being assessed |
assessment-assets | Tools and platforms used for assessment |
tasks | Scheduled assessment activities |
local-definitions.activities | Assessment activities and their steps |
local-definitions.objectives-and-methods | Assessment objectives tied to controls |
assessment-plans/
└── my-assessment/
└── assessment-plan.json
Documents the outcomes of a security assessment, including findings, observations, and risk determinations.
{
"assessment-results": {
"uuid": "...",
"metadata": { "title": "...", "version": "..." },
"import-ap": { "href": "#..." },
"results": [
{
"uuid": "...",
"title": "Assessment Round 1",
"start": "2024-01-15T00:00:00Z",
"end": "2024-01-30T00:00:00Z",
"reviewed-controls": {},
"findings": [],
"observations": [],
"risks": []
}
]
}
}
| Field | Purpose |
|---|---|
import-ap | References the assessment plan |
results | One or more assessment result sets |
results[].findings | Individual assessment findings per control |
results[].observations | Evidence and observations collected |
results[].risks | Identified risks with severity |
results[].attestations | Assessor attestation statements |
{
"uuid": "...",
"title": "AC-1 Finding",
"description": "...",
"target": {
"type": "objective-id",
"target-id": "ac-1",
"status": { "state": "not-satisfied" }
},
"related-observations": [{ "observation-uuid": "..." }],
"related-risks": [{ "risk-uuid": "..." }]
}
| State | Meaning |
|---|---|
satisfied | Control objective is met |
not-satisfied | Control objective is not met (generates POA&M entry) |
assessment-results/
└── my-assessment-results/
└── assessment-results.json
trestle import -f assessment-plan.json -o my-assessment
trestle import -f assessment-results.json -o my-results
trestle validate -t assessment-plan -n my-assessment
trestle validate -t assessment-results -n my-results
Assessment models support split/merge like other OSCAL models:
trestle split -t assessment-results -n my-results -e 'assessment-results.results'
trestle merge -t assessment-results -n my-results -e 'results'
Catalog → Profile → SSP → Assessment Plan → Assessment Results → POA&M
import-sspimport-apAssessment models do not have trestle author generate/assemble commands. Unlike catalogs, profiles, component definitions, and SSPs, assessment plans and assessment results use a JSON-based workflow:
create → split → edit JSON → merge → validate
Direct JSON editing via the split/merge cycle is the correct approach for these models.