OSCAL Assessment Plan field mapping
CAM exports engagement and control test data to OSCAL Assessment Plan format using the following field mappings.
Engagement metadata mapping
The OSCAL Assessment Plan metadata section contains engagement-level information exported from the CAM engagement record.
| OSCAL AP field | CAM field | Description |
|---|---|---|
| assessment_plan.uuid | sn_audit_engagement.sys_id | Unique identifier for the engagement |
| assessment_plan.metadata.title | sn_audit_engagement.name | Engagement name |
| assessment_plan.metadata.props [@name=state] |
sn_audit_engagement.state.displayValue | Current engagement state (Open, Work in Progress, Closed, Complete) |
| assessment_plan.metadata.props [@name=fieldwork_complete_percentage] |
sn_audit_engagement.task_percent_complete | Percentage of testing tasks completed |
| assessment_plan.metadata.props [@name=objective] |
sn_audit_engagement.objectives | Testing objectives for this engagement |
| assessment_plan.metadata.props [@name=planned_end_date] |
sn_audit_engagement.audit_period_end | Planned audit end date |
| assessment_plan.metadata.props [@name=planned_start_date] |
sn_audit_engagement.audit_period_start | Planned audit start date |
| assessment_plan.metadata.props [@name=engagement_starts] |
sn_audit_engagement.engagement_starts | When the engagement officially begins |
| assessment_plan.metadata.props [@name=engagement_ends] |
sn_audit_engagement.engagement_ends | When the engagement officially ends |
| assessment_plan.metadata.props [@name=fieldwork_start_date] |
sn_audit_engagement.start_date | When actual testing work begins |
| assessment_plan.metadata.props [@name=fieldwork_end_date] |
sn_audit_engagement.end_date | When actual testing work ends |
| assessment_plan.metadata.props [@name=budget_cost] |
sn_audit_engagement.budget_cost | Approved budget amount for the engagement |
| assessment_plan.metadata.props [@name=planned_cost] |
sn_audit_engagement.cost | Planned cost for the engagement |
User and role mapping
The OSCAL metadata.parties section contains user information, and metadata.roles defines available roles. Responsible parties link users to their roles.
| OSCAL AP Field | CAM Field | Description |
|---|---|---|
| assessment_plan.metadata.parties.uuid | sys_user.sys_id | ServiceNow user unique identifier |
| assessment_plan.metadata.parties.type | person (default for individual users) | Party type: person for individual users, organization for groups |
| assessment_plan.metadata.parties.name | sys_user.first_name + ' ' + sys_user.last_name | User's full name |
Exported roles include: engagement lead, approvers, auditors, and control test owner (mapped from control test assigned to field).
Control test mapping (activities)
The OSCAL local-definitions.activities section contains control test information. Each activity represents one control test in CAM.
| OSCAL AP Field | CAM Field | Description |
|---|---|---|
| assessment_plan.local-definitions.activities.uuid | sn_audit_control_test.sys_id | Unique identifier for the control test |
| assessment_plan.local-definitions.activities.title | sn_audit_control_test.short_description | Brief title of the control test |
| assessment_plan.local-definitions.activities.description | sn_audit_control_test.description | Detailed description of what will be tested |
| assessment_plan.local-definitions.activities.props[@name=state] | sn_audit_control_test.state.getDisplayValue | Current test status (Not tested, In progress, Complete) |
| assessment_plan.local-definitions.activities.props[@name=operational-assessment-procedures] | sn_audit_control_test.operation_assessment_procedures | Operational assessment procedures for this control test |
| assessment_plan.local-definitions.activities.related-controls.control-selections.include-controls.control-id | sn_audit_control_test.control | Control being tested (foe example, AC-2, AU-3) |
| assessment_plan.local-definitions.activities.related-controls.control-objective-selections.include-objectives.objective-id | sn_audit_control_test.test_plan | Test plan associated with this control test |
Assessment procedure mapping (steps)
The OSCAL activities.steps section contains assessment procedure information. Each step represents one assessment procedure in CAM.
| OSCAL AP Field | CAM Field | Description |
|---|---|---|
| assessment_plan.local-definitions.activities.steps.uuid | sn_audit_asmnt_procedure_control_test.sys_id | Unique identifier for the assessment procedure |
| assessment_plan.local-definitions.activities.steps.description | sn_audit_asmnt_procedure_control_test.assessment_objective | What this test step assesses or verifies |
| assessment_plan.local-definitions.activities.steps.props[@name=label] | sn_audit_asmnt_procedure_control_test.identifier | Step identifier (for example, AC-2(a), AC-2(b)) |
Reviewed controls mapping
The OSCAL reviewed-controls section identifies which controls are in scope for the assessment engagement.
| OSCAL AP Field | CAM Field | Description |
|---|---|---|
| assessment_plan.reviewed-controls.control-selections.include-controls.control-id | sn_audit_m2m_control_engagement.sn_compliance_control.reference | Control reference included in this engagement (e.g., AC-2, AU-3) |
| assessment_plan.reviewed-controls.control-selections.include-controls.statement-ids | sn_audit_m2m_control_engagement.sn_compliance_control.sn_compliance_m2m_control_control_requirement.control_requirement | Specific control requirements being tested (e.g., AC-2(a), AC-2(b)) |
SSP reference mapping
The OSCAL import-ssp section links the Assessment Plan to its parent System Security Plan.
| OSCAL AP Field | CAM Field | Description |
|---|---|---|
| assessment_plan.import-ssp.href | Package UUID (links to parent authorization package) | UUID reference linking this assessment plan to the package it tests |
The href uses the package UUID. If the package was imported, it uses the UUID from the external system. If the package was created in CAM, the system converts the sys_id to UUID format.
Custom properties
Custom properties contain CAM-specific data not natively supported by OSCAL standards. These properties use the ServiceNow namespace (identified by "ns:servicenow" in the JSON). Custom properties include engagement-specific fields such as fieldwork dates, budget information, and control test methods. Documentation of all custom properties is available on the ServiceNow product documentation site.