Format Specification

Client Requests OSCAL Files From Server

The OSCAL specification allows OSCAL content to exist as XML, JSON, or YAML. While the OSCAL REST OpenAPI specification uses JSON for most interactions, the following method/endpoint combinations must honor the Accept HTTP header for JSON, XML, and YAML:

• GET /{model-name}/{Identifier}
• GET /{model-name}/{Identifier}/snapshot/{Identifier}
• GET /profile/{Identifier}/resolved-catalog
• GET /profile/{Identifier}/resolved-snapshot/{Identifier}

When Accept is set to:

• application/json or application/oscal+json return the OSCAL content in JSON format;
• application/xml (preferred by RFC 7303) or text/xml (deprecated by RFC 7303) or application/oscal+xml return the OSCAL content in XML format; or
• application/yaml or text/yaml return the OSCAL content in YAML format.

When returning the OSCAL content, the implementation must set the Content-type header to:

• application/json when returning the OSCAL content in JSON format;
• application/xml when returning the OSCAL content in XML format; or
• application/yaml when return the OSCAL content in YAML format.

Client Sends OSCAL Files To Server

Similarly, XML, JSON or YAML OSCAL files may be used with the following method/endpoint combinations:

• POST /{model-name}
• PUT /{model-name}/{Identifier}

In these cases, the client must include the Content-type HTML header and set it to one of the following:

• application/json when sending an OSCAL file in JSON format;
• application/xml when sending an OSCAL file in XML format; or
• application/yaml when sending an OSCAL file in YAML format.

The implementation must accept all three OSCAL formats. OSCAL content sent to the server in any one of the three formats must be made available in all three formats for the relevant GET method/endpoint combinations.