Adjust target and message #939 missing-response

src/validations/constraints/content/ssp-all-VALID.xml

@@ -400,31 +400,31 @@
       <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="implementation-status" value="partial" ns="https://fedramp.gov/ns/oscal"/>
       <statement statement-id="ac-1_stmt.a" uuid="99999999-0000-4000-9000-000000000009">
+        <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="aaaaaaaa-0000-4000-9000-00000000000a">
+          <description>
+            <p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p>
+          </description>
+          <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/>
+          <responsible-role role-id="system-admin">
+            <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+          </responsible-role>
+        </by-component>    
       </statement>
-      <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="aaaaaaaa-0000-4000-9000-00000000000a">
-        <description>
-          <p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p>
-        </description>
-        <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/>
-        <responsible-role role-id="system-admin">
-          <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-        </responsible-role>
-      </by-component>
     </implemented-requirement>
 
     <implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8">
       <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/>
       <statement statement-id="cm-8_stmt.a" uuid="cccccccc-0000-4000-9000-00000000000c">
+        <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="dddddddd-0000-4000-9000-00000000000d">
+          <description>
+            <p>Information System Component Inventory (CM-8) is partially implemented.</p>
+          </description>
+          <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/>
+          <responsible-role role-id="system-admin">
+            <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+          </responsible-role>
+        </by-component>      
       </statement>
-      <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="dddddddd-0000-4000-9000-00000000000d">
-        <description>
-          <p>Information System Component Inventory (CM-8) is partially implemented.</p>
-        </description>
-        <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/>
-        <responsible-role role-id="system-admin">
-          <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
-        </responsible-role>
-      </by-component>
     </implemented-requirement>
   </control-implementation>
 

src/validations/constraints/fedramp-external-constraints.xml

@@ -158,10 +158,10 @@
     <context>
         <metapath target="/system-security-plan/control-implementation"/>
         <constraints>
-            <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0" level="ERROR">
-                <formal-name>Missing Response Components</formal-name>
+            <expect id="missing-response-components" target="implemented-requirement/statement" test="count(./by-component) gt 0" level="ERROR">
+                <formal-name>By-Component Reference for Implemented Requirements Missing</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-overview"/>
-                <message>Each implemented requirement MUST have at least one by-component reference to the source component implementing it.</message>
+                <message>A FedRAMP SSP MUST identify how the system implements each control requirement implemented at the per-statement level and reference any component used to implement it.</message>
             </expect>
         </constraints>
     </context>