This describes the XML representation of the UCF's Asset_List XML Schema Definition (XSD). Each of the elements, types, and attributes that make up the format are described in detail.

The URL for the Asset_List XML structure is as follows:

http://unifiedcompliance.com/NFI/XSDs/UCF_Assets_v2_1.xsd

The UCF_Asset_List presents information tracked by our team regarding the assets that are either mentioned in the authority documents within the overall UCF database, or the products and services mentioned by the vendors that are being validated for compliance assertion. This list format is meant to be as broad as possible so that it can tie in to MITRE's CPE list (which is narrower in scope), while allowing more flexibility to be used for other asset tracking matters.

UCF_Asset_Item (UCF_Asset_Item_Type)

The UCF_Asset_List is comprised of the UCF_Asset_Item containers. The UCF Asset Item defines each individual "record" within the list. Each container is split into three key elements that must be present at all times:

• • UCF_Meta_Data

  • UCF_Basic_Info

  • UCF_References

UCF_Meta_Data (UCF_Meta_Data_Type)

For detailed documentation of Meta Data fields, please refer to the Meta Data documentation. Below is a list of the meta data fields that are included in the Asset list.

• UCF_Asset_Release_Version

• UCF_Asset_ID

• UCF_Asset_ID_CheckDigit

• UCF_Asset_Genealogy

• UCF_Asset_Sort_ID

• UCF_Asset_Live_Status

• UCF_Asset_Deprecated_By

• UCF_Asset_Deprecation_Notes

• UCF_Asset_Date_Added

• UCF_Asset_Date_Modified

UCF_Basic_Info (UCF_Basic_Info_Type)

The UCF_Basic_Info element has exactly what you'd expect - the most critical information that pertains to all types of Assets.

UCF_Asset_Name (xs:string)

This is the name of the asset, product, or service as it appears on common marketing literature or can be found within a product search of a sales catalog. When referencing IT products it roughly, but not always, correlates to the CPE Title field maintained by MITRE and others.

UCF_Asset_Common_Name (xs:string)

The common name for a product or service is a name that can be used for display purposes on end users' computer screens and in database field names. The reason we need a common name is because some authority documents will have official titles that are almost a hundred characters long. This is too long for representation in a vertically aligned spreadsheet cell. Because the official title sometimes contains reserved characters or words such as and, or, and so on, it cannot be used for some purposes, such as the name of a database field. The common name should be short, succinct, relevant to the product's published name, and must follow strict adherence to database field naming conventions. Such conventions do not allow the use of certain characters. The list of restricted, non-usable characters in the product's common name are as follows:

, + - * / ^ & = ≠ ( ) [ ] \ ; : $ AND OR NOT XOR TRUE FALSE

In order to match (as closely as possible) the CPE naming methodology already in use (the Uniform Resource Identifier Generic Syntax, RFC 3986), the UCF™ team have adopted the same percent encoding rules as do they. A percent encoded character is encoded as a "character triplet" (meaning that the original character has been replaced by a code-set of three characters) consisting of the percent character "%" followed by the two hexadecimal digits representing that character's numeric value. If the "%" character is to be used outside of this encoding, then it would itself have to be encoded. The following is a list of characters that are converted to percent encoding when they are used within a vendor's name:

Original Character	Encoding	Reason
asterisk (*)	%2A	URI reserved character, sub-delims
plus sign (+)	%2B	URI reserved character, sub-delims
comma (,)	%2C	URI reserved character, sub-delims
slash (/)	%02F	URI reserved character, gen-delims
colon (:)	%3A	used to separate the components in a name
semi-colon (;)	%3B	URI reserved character, sub-delims
angle bracket (<)	%3C	used in XML
equal sign (=)	%3D	URI reserved character, sub-delims
angle bracket (>)	%3E	used in XML
question mark (?)	%3F	URI reserved character, gen-delims
open bracket ([)	%5B	URI reserved character, gen-delims
close bracket (])	%5D	URI reserved character, gen-delims
Space ( )	%20	Unsafe character
exclamation point (!)	%21	URI reserved character, sub-delims
double quote (")	%22	used in XML
pound sign (#)	%23	URI reserved character, gen-delims
dollar sign ($)	%24	URI reserved character, sub-delims
percent-sign (%)	%25	used for character encoding in URIs.
ampersand (&)	%26	URI reserved character, sub-delims
apostrophe (')	%27	URI reserved character, sub-delims
open parenthesis (()	%28	URI reserved character, sub-delims
close parenthesis ())	%29	URI reserved character, sub-delims
at sign (@)	%40	URI reserved character, gen-delims

Characters that are allowed in a URI but do not have a reserved purpose are called unreserved. These include uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde.

unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"

As a note, spaces may alternately be replaced with the unreserved character of an underscore ("_").

UCF_Asset_Category (UCF_Asset_Category_Type_List)

This is the general category in which a vendor's product or service falls. At this point there are only certain choices:

• • Database (or table within a database)

  • Operating System (includes OS drivers)

  • Application (includes application drivers)

  • Storage

  • Hardware (anything from cards to whole CPUs, network devices, etc.)

  • Network

  • Power or Air

  • Facility (including containers)

As the Network Frontiers team begins to build out product categories, we will work with all vendors to create an additional product category field and standardize the category entry types.

UCF_Asset_Class (xs:string)

The asset class is used for further identifying the general category that the asset belongs to. Such asset class names would be (Database) table, (Operating System) driver, (Network) wireless access point, or (Application) browser, with the information in the parentheses omitted. This allows our team to match whole classes of assets to their controls (such as all browsers having to have certain controls applied).

UCF_Asset_Version (xs:string)

The number of the particular version of an asset, if any. This is the same information as tracked in the CPE Version element. As such, the version should be represented in the whatever format the asset represents it in.

UCF_Asset_Update (xs:string)

If the asset has been updated, enter the information the vendor uses to indicate the particular update, such as a number, date, or service pack number. Sometimes this is referred to as a point release or a minor version. However, most of the time within the CPE list (which is a direct equivalent) this is where the service pack information has been documented. The technical difference between version and update will be different for certain vendors and products and as this bit of meta information evolves, our rules for adding and updating the information in this field will evolve as well.

UCF_Asset_Edition (xs:string)

If the asset has an edition name or number, enter it here. When considering software products that run only on certain operating systems, add the operating system in the edition field (i.e., Windows, Macintosh, Linux, Unix, Solaris, etc.). This could (and usually is) used to delineate professional versus education versus home user editions of a product. This is the more or less the same information as tracked in the CPE Edition element.

UCF_Asset_Language (xs:string)

If the asset is in a specific language, that's what needs to be entered here. However, we are not using the name of the language, but rather the ISO 639-2 Codes for the Representation of Names of Languages reference. A complete and up-to-date reference can be found online at http://loc.gov/standards/iso639-2/php/code_changes.php.

This should be the same information as tracked in the CPE Language element, however, we've found that all sorts of wonderful things have been popping up there.

UCF_Asset_Platform (xs:string)

If the asset is platform specific (32 bit, 64 bit, Intel, G4, etc.), then that's the information that must be entered here.

UCF_Asset_Path (xs:string)

This is the control inheritance path for the asset in question. Controls can be assigned at the category level (such as UCF CE ID 00901 calling for hardware redeployment or disposal controls), at the class level (such as UCF CE ID 00370 calling for testing of all WLANs for the presence of rogue access points), as well as the product level down through the product version and language level.

We publish the display of this information as follows

Category:Class:Product:Version:Update:Edition:Language:Platform

When calculating the controls that apply to the asset, you can calculate them through the controls assigned genealogically to assets above the one in question, followed through down to the asset in question.

UCF_CPE_Name (xs:string)

This is the Common Platform Enumeration correlation to the asset's common name. The reason that we break this out separately is that often the name used in the CPE list for a common name makes absolutely no sense to us. However, we realize that you need to use this information so we include it here for you.

UCF_References (UCF_Reference_Type)

The final section in every UCF XML is the references section. In this section, you will find a list of ID's for every related record from all tables that are visible from the table the XML is generated for. For Asset, the following fields are exported:

UCF_Vendor_ID (UCF_ID_Type2)

The ID of the Vendor(s) associated with this asset.