@@ -355,6 +388,9 @@
+
+ 11111111-0000-4000-9000-000000000001
+
diff --git a/src/validations/constraints/content/ssp-component-has-provider-responsible-role-INVALID.xml b/src/validations/constraints/content/ssp-component-has-provider-responsible-role-INVALID.xml
new file mode 100644
index 000000000..32eef91e2
--- /dev/null
+++ b/src/validations/constraints/content/ssp-component-has-provider-responsible-role-INVALID.xml
@@ -0,0 +1,12 @@
+
+
+
+
+
+
+ 11111111-0000-4000-9000-000000000001
+ 11111111-0000-4000-9000-000000000002
+
+
+
+
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml
new file mode 100644
index 000000000..13bf1f266
--- /dev/null
+++ b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml
@@ -0,0 +1,10 @@
+
+
+ fips-199-moderate
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml
new file mode 100644
index 000000000..f3c9ec506
--- /dev/null
+++ b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml
@@ -0,0 +1,532 @@
+
+
+
+ Enhanced Example System Security Plan
+ 2024-08-01T14:30:00Z
+ 2024-08-01T14:30:00Z
+ 1.1
+ 1.1.2
+ SSP-2024-002
+
+
+
+ Authorizing Official
+
+
Senior official with authority to formally assume responsibility for operating a system at an acceptable level of risk.
+
+
+
+ Prepared By
+
+
This party prepared the SSP.
+
+
+
+ Prepared For
+
+
The organization for which this SSP was prepared. Typically the CSP.
+
+
+
+ Document Creator
+
+
+ Content Approver
+
+
+ System Administrator
+
+
+ Asset Owner
+
+
+ System Owner
+
+
+ Authorizing Official Point of Contact
+
+
+ Information System Security Officer (or Equivalent)
+
+
+ Information System Management Point of Contact (POC)
+
+
The highest level manager who is responsible for system operation on behalf of the System Owner.
+
+
+
+ Information System Technical Point of Contact
+
+
The individual or individuals leading the technical operation of the system.
+
+
+
+ General Point of Contact (POC)
+
+
A general point of contact for the system, designated by the system owner.
+
+
+
+
+ CSP HQ
+
+ Suite 0000
+ 1234 Some Street
+ Haven
+ ME
+ 00000
+ US
+
+
+
+
+ US
+
+
+
+
+
+ US
+
+
+
+
+ Person Name 1
+
+
+ name@example.com
+ 2020000001
+ 27b78960-59ef-4619-82b0-ae20b9c709ac
+ 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb
+
+
+ Cloud Service Provider (CSP) Name
+ CSP Acronym/Short Name
+
+ 27b78960-59ef-4619-82b0-ae20b9c709ac
+
+
+ Example Organization
+ ExOrg
+
+
+
+ Jane Doe
+ jane.doe@example.com
+
+
+
+
+ 3360e343-9860-4bda-9dfc-ff427c3dfab6
+
+
+ 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb
+
+
+ 11111111-0000-4000-9000-000000000001
+
+
+ 22222222-0000-4000-9000-000000000002
+
+
+
+ 22222222-0000-4000-9000-000000000002
+
+
+ 22222222-0000-4000-9000-000000000002
+
+
+ 22222222-0000-4000-9000-000000000002
+
+
+ 22222222-0000-4000-9000-000000000002
+
+
+ 22222222-0000-4000-9000-000000000002
+
+
+ 22222222-0000-4000-9000-000000000002
+
+
+ 22222222-0000-4000-9000-000000000002
+
+
+
+
This SSP is an example for demonstration purposes.
+
+
+
+
+
+
+ F00000001
+ Enhanced Example System
+ System's Short Name or Acronym
+
+
This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.
+
+
+
+
Remarks are required if deployment model is "hybrid-cloud" or "other". Optional otherwise.
+
+
+
+
+
Remarks are required if service model is "other". Optional otherwise.
May use rlink with a relative path, or embedded as base64.
+
+
+
+ Document Title
+
+
Rules of Behavior
+
+
+
+
+
+ 00000000
+
+
Table 12-1 Attachments: Rules of Behavior (ROB)
+
May use rlink with a relative path, or embedded as base64.
+
+
+
+ Document Title
+
+
Contingency Plan (CP)
+
+
+
+
+
+ 00000000
+
+
Table 12-1 Attachments: Contingency Plan (CP) Attachment
+
May use rlink with a relative path, or embedded as base64.
+
+
+
+ Document Title
+
+
Configuration Management (CM) Plan
+
+
+
+
+
+ 00000000
+
+
Table 12-1 Attachments: Configuration Management (CM) Plan Attachment
+
May use rlink with a relative path, or embedded as base64.
+
+
+
+ Document Title
+
+
Incident Response (IR) Plan
+
+
+
+
+
+ 00000000
+
+
Table 12-1 Attachments: Incident Response (IR) Plan Attachment
+
May use rlink with a relative path, or embedded as base64.
+
+
+
+ Separation of Duties Matrix
+
+
Separation of Duties Matrix
+
+
+
+
+
+ 00000000
+
+
May use rlink with a relative path, or embedded as base64.
+
+
+
+
+
+ Authorization Boundary
+
+
Authorization Boundary Diagram
+
+
+
+
+
+ 00000000
+
+
May use rlink with a relative path, or embedded as base64.
+
+
+
+
+ Network Architecture
+
+
Network Architecture Diagram
+
+
+
+
+
+ 00000000
+
+
May use rlink with a relative path, or embedded as base64.
+
+
+
+
+ Data Flow
+
+
Data flow Diagram
+
+
+
+
+
+ 00000000
+
+
May use rlink with a relative path, or embedded as base64.
+
+
+
+
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml
new file mode 100644
index 000000000..03dc7f5f1
--- /dev/null
+++ b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml
@@ -0,0 +1,33 @@
+
+
+
+
+ Firebase CLI Connection
+
+
CLI for updating firebase Secure connection to an external API for data enrichment.
+
+
+
+
+
+
+ Firebase CLI Connection
+
+
CLI for updating firebase Secure connection to an external API for data enrichment.
+
+
+
+
+
+ nvm CLI Connection
+
+
CLI for updating nvm Secure connection to an external API for data enrichment.
+
+
+
+
+
+
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml
new file mode 100644
index 000000000..edf5f534c
--- /dev/null
+++ b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml
@@ -0,0 +1,25 @@
+
+
+
+
+ Firebase CLI Connection
+
+
CLI for updating firebase Secure connection to an external API for data enrichment.
+
+
+
+
+
+ Firebase CLI Connection
+
+
CLI for updating firebase Secure connection to an external API for data enrichment.
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index f0a36445b..e413feb0b 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -4,26 +4,6 @@
-
-
-
-
- Fedramp Version
-
- A FedRAMP document's metadata MUST define a valid FedRAMP version.
-
-
All documents in a digital authorization package for FedRAMP must specify the version that identifies which FedRAMP policies, guidance, and technical specifications its authors used during the creation and maintenance of the package.
-
-
-
- FedRAMP data sensitivity classification identifier.
-
- A FedRAMP document MUST have a marking that defines its data classification.
-
-
-
-
@@ -81,11 +61,22 @@
+ Component Has Authentication MethodA FedRAMP SSP MUST include at least one authentication method for each leveraged system.
+
+ Component Has Provider Responsible Role
+
+ A FedRAMP SSP MUST have each component describing leveraged systems, interconnections, or authorized services identify a "provider" role that references one responsible party.
+ Has Authorization Boundary Diagram Link Href Target
@@ -113,7 +104,12 @@
A FedRAMP SSP MUST use a valid FedRAMP catalog to reference security controls. It MUST NOT reference controls from a non-FedRAMP catalog.
-
+
+
+ Leveraged Authorization Has Valid Impact Level
+
+ A FedRAMP SSP MUST define the appropriate FIPS-199 impact level (low, moderate, or high) for each leveraged authorization.
+
@@ -270,30 +266,6 @@
-
-
-
-
-
- Fully Operational Date Is Valid
-
- A system MUST be fully implemented prior to submitting the SSP to FedRAMP.
-
-
- Fully Operational Date Type
-
-
-
-
-
- Fully Operational Date
-
- A FedRAMP SSP MUST define the system's fully operational date.
-
-
-
@@ -325,6 +297,16 @@
A FedRAMP SSP information type confidentiality, integrity, or availability impact MUST specify the selected impact.
+
+ Fully Operational Date Is Valid
+
+ A system MUST be fully implemented prior to submitting the SSP to FedRAMP.
+
+
+ Fully Operational Date Type
+
+ A FedRAMP SSP MUST specify the system's fully operational data as a "full-date" per RFC3339 with the addition of a timezone.
+ Has Authenticator Assurance Level
@@ -433,6 +415,11 @@
A FedRAMP SSP MUST define its NIST SP 800-63 federation assurance level (FAL).
+
+ Fully Operational Date
+
+ A FedRAMP SSP MUST define the system's fully operational date.
+ Has Identity Assurance Level
@@ -520,14 +507,20 @@
-
-
-
-
- System Implementation Has Inventory Items
-
- A FedRAMP SSP system implementation section MUST have at least two inventory items.
-
+
+
+
+
+
+ Authentication Method Has Remarks
+
+ Each authentication method in a FedRAMP SSP MUST have a remarks field.
+
+
+ System Implementation Has Inventory Items
+
+ A FedRAMP SSP system implementation section MUST have at least two inventory items.
+ Leveraged Authorization Has Authorization Type
@@ -548,18 +541,43 @@
All network components in a FedRAMP SSP system implementation MUST define at least one interconnection security property.
-
-
+
+ Unique Asset Identifier
+ Ensure each inventory item has a unique asset-id property.
+
+
+
+
A FedRAMP SSP's inventory item MUST have an Asset ID that is unique across all inventory items in the system and its components.
+
+
+
+
+
+
+ Fedramp Version
+
+ A FedRAMP document's metadata MUST define a valid FedRAMP version.
+
+
All documents in a digital authorization package for FedRAMP must specify the version that identifies which FedRAMP policies, guidance, and technical specifications its authors used during the creation and maintenance of the package.
+
+ Has Published DateAll documents submitted to FedRAMP MUST define a valid publication date.
+
+ FedRAMP data sensitivity classification identifier.
+
+ A FedRAMP document MUST have a marking that defines its data classification.
+
-
+
+
@@ -573,11 +591,6 @@
-
- Authentication Method Has Remarks
-
- Each authentication method in a FedRAMP SSP MUST have a remarks field.
- Unique Asset IdentifierEnsure each inventory item has a unique asset-id property.
@@ -587,6 +600,11 @@
A FedRAMP SSP's inventory item MUST have an Asset ID that is unique across all inventory items in the system and its components.
+
+ Component Has Implementation Point
+
+ A FedRAMP SSP with service components and CLI software components performing cross-boundary network communication MUST indicate exactly one time if the point of implementation is internal or external to the system.
+
-
\ No newline at end of file
+
diff --git a/src/validations/constraints/unit-tests/component-responsible-role-references-party-FAIL.yaml b/src/validations/constraints/unit-tests/component-responsible-role-references-party-FAIL.yaml
new file mode 100644
index 000000000..6411e2393
--- /dev/null
+++ b/src/validations/constraints/unit-tests/component-responsible-role-references-party-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+ name: Negative Test for component-has-provider-responsible-role
+ description: >-
+ This test case validates the behavior of constraint
+ component-has-provider-responsible-role
+ content: ../content/ssp-component-has-provider-responsible-role-INVALID.xml
+ expectations:
+ - constraint-id: component-has-provider-responsible-role
+ result: fail
diff --git a/src/validations/constraints/unit-tests/component-responsible-role-references-party-PASS.yaml b/src/validations/constraints/unit-tests/component-responsible-role-references-party-PASS.yaml
new file mode 100644
index 000000000..40990f9b8
--- /dev/null
+++ b/src/validations/constraints/unit-tests/component-responsible-role-references-party-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+ name: Positive Test for component-has-provider-responsible-role
+ description: >-
+ This test case validates the behavior of constraint
+ component-has-provider-responsible-role
+ content: ../content/ssp-all-VALID.xml
+ expectations:
+ - constraint-id: component-has-provider-responsible-role
+ result: pass
diff --git a/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-FAIL.yaml b/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-FAIL.yaml
new file mode 100644
index 000000000..e627b71ee
--- /dev/null
+++ b/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+ name: Negative Test for leveraged-authorization-has-valid-impact-level
+ description: >-
+ This test case validates the behavior of constraint
+ leveraged-authorization-matches-impact-level
+ content: ../content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml
+ expectations:
+ - constraint-id: leveraged-authorization-has-valid-impact-level
+ result: fail
diff --git a/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-PASS.yaml b/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-PASS.yaml
new file mode 100644
index 000000000..4bedfcc9a
--- /dev/null
+++ b/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-PASS.yaml
@@ -0,0 +1,12 @@
+test-case:
+ name: Positive Test for leveraged-authorization-has-valid-impact-level
+ description: >-
+ This test case validates the behavior of constraint leveraged-authorization-has-valid-impact-level.
+ Scenario 1: Security-sensitivity-level = 'fips-199-moderate' and leveraged-authorization impact-level = 'fips-199-moderate'.
+ Scenario 2: Security-sensitivity-level = 'fips-199-moderate' and leveraged-authorization impact-level = 'fips-199-high'.
+ content:
+ - ../content/ssp-all-VALID.xml
+ - ../content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml
+ expectations:
+ - constraint-id: leveraged-authorization-has-valid-impact-level
+ result: pass
diff --git a/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml b/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml
new file mode 100644
index 000000000..b14db64a5
--- /dev/null
+++ b/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml
@@ -0,0 +1,13 @@
+test-case:
+ name: Negative Test for network-component-has-implementation-point
+ description: >-
+ This test case validates the behavior of constraint
+ network-component-has-implementation-point
+ content:
+ - ../content/ssp-network-component-has-implementation-point-INVALID.xml
+ - ../content/ssp-network-component-has-implementation-point-INVALID-2.xml
+ expectations:
+ - constraint-id: network-component-has-implementation-point
+ fail_count:
+ type: "exact"
+ value: 2
\ No newline at end of file
diff --git a/src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml b/src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml
new file mode 100644
index 000000000..414bd38cf
--- /dev/null
+++ b/src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+ name: Positive Test for network-component-has-implementation-point
+ description: >-
+ This test case validates the behavior of constraint
+ network-component-has-implementation-point
+ content: ../content/ssp-all-VALID.xml
+ expectations:
+ - constraint-id: network-component-has-implementation-point
+ result: pass
diff --git a/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml b/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml
index 806d1ad70..327c9789a 100644
--- a/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml
+++ b/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml
@@ -8,4 +8,4 @@ test-case:
- constraint-id: unique-inventory-item-asset-id
fail_count:
type: "exact"
- value: 1
\ No newline at end of file
+ value: 2
\ No newline at end of file
diff --git a/src/validations/module.mk b/src/validations/module.mk
index 96c289f4b..679c12500 100644
--- a/src/validations/module.mk
+++ b/src/validations/module.mk
@@ -1,6 +1,7 @@
# Variables
OSCAL_VERSION = $(shell jq -r .dependencies.oscal package.json)
OSCAL_CLI_VERSION = $(shell awk '/^oscal-cli/ {print $$2}' .tool-versions)
+OSCAL_SERVER_VERSION = $(shell awk '/^oscal-server/ {print $$2}' .tool-versions)
OSCAL_CLI = npx oscal@$(OSCAL_VERSION)
SRC_DIR = ./src
DIST_DIR = ./dist
@@ -13,7 +14,7 @@ init-validations:
@echo "Installing node modules..."
npm install
$(OSCAL_CLI) use $(OSCAL_CLI_VERSION)
- $(OSCAL_CLI) server update
+ $(OSCAL_CLI) server update $(OSCAL_SERVER_VERSION)
# Style lint
.PHONY: lint-style