org.cispec.fqdn
recommended: any CI with a DNS-resolvable hostnameorg.cispec.fqdn records the fully-qualified domain name of a Change
Item — the DNS-resolvable identifier that uniquely names it within the
DNS namespace.
This is distinct from org.cispec.commonname (a
human-readable label with no requirement to be DNS-resolvable),
org.cispec.ip-address (a network layer 3 address),
and org.cispec.location (a physical location). A FQDN
is specifically a DNS-resolvable name — db.prod.daplanet.net is a
fact about the CI’s identity in the DNS namespace, not a description
of where it is, what it’s called informally, or how to reach it at
layer 3.
This term corresponds to the fqdn property in OSCAL’s inventory
model, ensuring compatibility with FedRAMP machine-readable
authorization packages mandated by RFC-0024 (effective September
2026).
Applies to any CI with a DNS-assigned hostname: servers, network equipment, services, APIs, IoT devices with DNS entries, and any other asset with a resolvable FQDN.
Value format
A fully-qualified domain name in standard dot-notation.
org.cispec.fqdn=db.prod.daplanet.net
org.cispec.fqdn=api-gateway.example.org
org.cispec.fqdn=printer-01.corp.example.com
Conformance
org.cispec.fqdn is RECOMMENDED for any CI with a DNS-resolvable
hostname. Not REQUIRED for Declared conformance.
Attestation
fqdn is independently attestable via public DNS resolution for
publicly registered domains, or via internal DNS records for private
domains. Forward and reverse DNS lookup agreement provides additional
integrity confirmation.
Resolution and relation
fqdn paired with ip-address and
mac-address gives the complete network identity
of a CI across DNS, layer 3, and layer 2.
Document identifier
OID: 1.3.6.1.4.1.42387.2.6.4.4
GUID: e39b64b6-6144-5939-9cc1-aa8a91fd796b