The following is a description of the sequence and elements that comprise the Unified Compliance Authority Document XML format and schema. Each of the elements, types, and attributes that make up the format are described in detail. The Authority Documents list ties directly to the Citations found within each of the authority documents, and the Terms found within each of the authority documents.

The URL for the current version of the AD List's XML schema (version 2) can be found here:

http://unifiedcompliance.com/NFI/XSDs/UCF_Authority_Documents_v2_1.xsd

UCF_AD_Item (UCF_AD_Item_Type)

No matter how the information is split out there are three key elements that must be present always:

• UCF_Meta_Data

• UCF_Basic_Info

• UCF_References

UCF_Meta_Data (UCF_Meta_Data_Type)

For detailed documentation of Meta Data fields, please refer to the Meta Data documentation. Below is a list of the meta data fields that are in the Authority Documents list.

• UCF_AD_ID

• UCF_AD_ID_CheckDigit

• UCF_AD_Genealogy

• UCF_AD_Sort_ID

• UCF_AD_Live_Status

• UCF_AD_Deprecated_By

• UCF_AD_Deprecation_Notes

• UCF_AD_Date_Added

• UCF_AD_Date_Modified

• UCF_AD_Release_Version

UCF_Basic_Info (UCF_AD_Basic_Info_Type)

UCF_AD_Basic_Info is comprised of the information set that is most basic to all authority documents and any group that would care to share authority document lists with one another. The sequence of simple elements for UCF_AD_Basic_Info are as follows:

UCF_AD_Common_Name (ucf:non-empty-string)

UCF_AD_Common_Name is the colloquial, or database field name representation of the authority document's official name. Because some authority documents will have names that are almost a hundred characters long. This is too long for representation in a vertically aligned spreadsheet cell and too complex because the official name also sometimes use reserved characters or words such as and, or, etc.

The name should be short, succinct, relevant to the authority document's published name, and must ahere to database field naming conventions. Such conventions do not allow the use of certain characters. The list of restricted, nonusable characters in an authority document's common name are as follows:

, + - * / ^ & = ≠ ( ) [ ] \ ; : $ AND OR NOT XOR TRUE FALSE

In addition, the first character in any authority document's common name cannot be any of the following: space, period, or number.

UCF_AD_Title_Type (ucf:non-empty-string)

The Title type tells the OEM programmer how to treat the entry. Remember the UCF's Authority Document list is a hierarchical list. There are three title types:

CA = Category title only. This record only marks the authority documents that fall into its genealogy are a part of that particular category.

OR = This is the originating source of the Authority Documents that fall into its genealogy. For more information about originators and issuers, see the detailed info that follows in the meta data section.

AD = This is an Authority Document record, the meat, if you will, of the AD list.

GL = This is a Glossary Record, and will not have any controls assigned to it.

UCF_AD_URL (xs:anyURI)

The UCF_AD_URL is the Unique Resource Identifier (URI) of the authority document in question. This should be a direct link to the document (.pdf, .doc word format). If the document is secured, the URL should point to the document in such a way to redirect the end user through the sign-in page directly to the resource. If the document is a for-purchase document, the URL should point the end user directly to the purchase page for that specific resource.

UCF_AD_Type (UCF_AD_Type_Type)

The choices of elements within UCF_AD_Type are listed in their legal hierarchical status, as defined within the UCF_AD_Type_Type, documented below.

• Bill or Act

• Regulation or Statute

• Contractual Obligation

• Self-Regulatory Body Requirement

• Audit Guideline

• Safe Harbor

• International or National Standard

• Best Practice Guideline

• Organizational Directive

• Vendor Documentation

• Not Set

UCF_AD_Description (xs:string)

The UCF_AD_Description element holds a CSS formatted HTML entry containing the Authority Document's Official Name, it's ID, availability, the current number of citations associated with it, and when it was last reviewed and released.

UCF_AD_Official_Name (UCF_AD_Official_Name_Type)

As well as splitting out the basic information from the meta information, we have also created a complex type to define the official name of authority documents, which is a combination of the published name and the document's version.

UCF_AD_Language (ucf:non-empty-string)

If the Authority Document is in a specific language, that's what needs to be entered here. However, we are not using the name of the language, but rather the ISO 639-2 Codes for the Representation of Names of Languages reference. A complete and up-to-date reference can be found online at http://loc.gov/standards/iso639-2/php/code_changes.php. By default, all documents are in English (code eng).

UCF_AD_Parent_Category (UCF_AD_Parent_Type)

This is a direct reference to the Complex type UCF_AD_Parent_Type listed below.

• Asia and Pacific Rim Guidance

• Banking and Finance Guidance

• Energy Guidance

• EU Guidance

• General Guidance

• Healthcare and Life Science Guidance

• ISO Guidance

• ITIL Guidance

• Latin American Guidance

• NASD NYSE Guidance

• NIST Guidance

• Other Configuration Guidance

• Other European and African Guidance

• Payment Card Guidance

• Records Management Guidance

• Sarbanes Oxley Guidance

• System Configuration Guidance

• UK and Canadian Guidance

• US Federal Privacy Guidance

• US Federal Security Guidance

• US Internal Revenue Guidance

• US State Laws and Protectorates Guidance

• Vendors

UCF_AD_Availability (UCF_AD_Availability_Type)

Some authority documents are freely available, some are restricted, some are only available through direct purchase, and some are available only to members of a group. This field should list the availability status of the authority document. The enumerations for the UCF_AD_Availability_Type are as follows:

• Free

• For Purchase

• Membership

• With Product

• For Purchase or With Membership

Originator, Issuer, and the issuer's URL

Within the UCF's tracking of authority documents we have the problem of trying to figure out where a document came from. One would think that if the IRS wrote a procedure that they wanted you to follow, you could go to the IRS's website, type in the procedure name, and have that document pop up on your screen. Fat chance of that happening. Funny enough, you can find IRS revenue procedures, but not at the IRS website - at 20 other websites. None of these folks are the publishers or the authors. So what do we list? Do we try to tell you the author/publisher of the IRS procedures is Wacky Tom's Revenue Reporting site? We have to list something, so what we've done is split it into three elements - the originator (the IRS), the issuer (Wacky Tom's), and the issuer's URL (in case you don't know where on the web Wacky Tom lives).

UCF_AD_Originator (xs:string)

This is not so much who authored the document but where the document originated. The "authors" of the Sarbanes Oxley bill are Messrs. Sarbanes and Oxley. However, the bill originated in the U.S. Senate. So that's what we're listing - the organization in which the authority document originated.

UCF_AD_Issuer (xs:string)

An issuer is the harmonized title the UCF team has given all those who either publish or promulgate authority documents. Technically, a publisher is a firm in the business of issuing printed matter for sale or distribution. However, when it comes to laws, the correct term is promulgator. A promulgator is the legal body that announces a law as a way of putting it into execution. This is distinct and different from a law's publishing office that prints and distributes the law. Sometimes the promulgator will have a domain under which to find their authority documents and sometimes they won't. Therefore, we use the harmonized term of issuer to cover authors, publishers, and promulgators.

The issuer's name might be a source of ambiguity because there are many ways to express the names of companies and other organizations. Therefore, our determination is the name used for the issuer should stem from the highest organization-specific label of the issuing organization's fully qualified domain name (FQDN) and URL directory where the document is made available. Even if the domain name is different from the organization's name, your organization must use the domain name for the Issuer Name. The table below shows some representative examples. Notice that both documents are part of the US's Code of Federal Regulations. However, one document's issuer is the US National Archives and Records Administration (the publisher) and the other is the promulgator itself. The third example shows the originating organization is the US Whitehouse staff, and specifically the Office of Management and Budget (which is also the issuer). Because the OMB doesn't have its own domain, it uses the Whitehouse's domain and its own directory. The final example shows that even though the title of the document suggests that it originates from the OMB, it originates from a different source (which has OMB members on it).

Document	Originating organization	Issuing Organization	DNS Name and directory
Safety and Soundness Standards, Appendix of OCC 12 CFR 30	US Office of the Comptroller of the Currency (OCC)	US National Archives and Records Administration	ecfr.gpoaccess.gov
Privacy of Consumer Financial Information, FTC 16 CFR 313	US Federal Trade Commission	US Federal Trade Commission	www.ftc.gov
OMB Circular A-123 Management's Responsibility for Internal Co	The US White House (office of the President)	US Office of Management and Budget	www.whitehouse.gov/OMB/
Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control	US CFO Council	US CFO Council	www.cfoc.gov

The issuing organization is listed in this element, while the issuing organization's URL is listed in the following element. We hope combining the issuing organization's name and URL will help clarify any confusion.

UCF_AD_Issuer_Domain (xs:anyURI)

This is the Unique Resource Locator of the issuing organization in fully qualified domain name (FQDN) format - as well as the top level directory of the issuer if the issuer does not have its own domain name (as is the case for the OMB in the UCF_AD_Issuer example above).

UCF_AD_Status (xs:string)

This field represents the status the document is in within the UCF's document mapping process. The status fields are (in information flow order):

• Suggested meaning the document is at an early stage in the process. Much of the needed information is still missing but UCF staff are reviewing the document to decide if it should become "recommended" (see below).

• Recommended meaning the document has been recommended for inclusion in the UCF, but not yet verified.

• Queued meaning the document has been queued to be added to the UCF soon.

• In Research meaning the document is somewhere between being recommended and us figuring out what to do with it (or even find it in English).

• In Edit meaning the document is being worked on.

• Released meaning the document has been added to the UCF and should have an applicable release date.

• Not Applicable meaning the document has been verified to be a real authority document, however, the UCF mapping team have made the decision not to include the document in the UCF (for any number of reasons).

• On Hold Every so often we are sent an authority document for mapping that, during the mapping or research process, goes into change. Therefore, when that happens, we mark the authority document as being "On Hold" until we hear otherwise.

• Redacted means the record is no longer live. If the record belongs to an authority document (versus either a category record or originator record), then all the control citations within the UCF's main tables will also be redacted.

UCF_AD_Release_Date (xs:date)

This is the day, month, and year the authority document was initially released or rereleased into the UCF's database. If the UCF_Status field is anything other than Released, this field will have a null value.

UCF_AD_Effective_Date (xs:date)

This is the day, month, and year the authority document will take or took effect. There are differences between the various Authority Document types and where we found and how we gathered the effective date for each. For instance, because Bills or Acts are not yet codified into law, we listed their effective dates as the published date (or updated date) of the Bill or Act. Most regulations and statutes do list their effective date, and therefore our effective date is derived from their effective date. Contractual Obligations (like the various PCI documents), don't list an effective date. Instead, they list a released date, and that's what we used. For the rest of the Authority Documents, if we could find something that either stated "effective date" or "released date", we used that. If not, we used the publication's published date. For vendor documentation and best practice guidelines that are only published in HTML format, if the pages we mapped didn't have anything listed as a date, we ignored their effective date.

Vendor Documentation	Published Date/Released Date
Best Practice Guideline	Published/Released
International or National Standard	Edition Date/Publication Date
Safe Harbor	Effective Date/Published Date
Audit Guideline	Released Date
Contractual Obligation	Released Date
Regulation or Statute	Source/Effective Date
Bill or Act	Published Date

UCF_References (UCF_Reference_Type)

The final section in every UCF XML is the references section. In this section, you will find a list of ID's for every related record from all tables that are visible from the table the XML is generated for. For Authority Documents, the following fields are exported:

UCF_Issuer_ID (UCF_ID2_Type

This is the seven-digit ID that refers to the Issuer of the Authority Document.