Skip to content

Commit

Permalink
Add system-characteristics 'has-assurance-level' constraints (#701)
Browse files Browse the repository at this point in the history
* Add system-characteristics 'has-assurance-level' constraints & tests

* Make uniform wording for informational findings per PR review

---------

Co-authored-by: A.J. Stein <[email protected]>
  • Loading branch information
Gabeblis and aj-stein-gsa authored Sep 18, 2024
1 parent 65f2030 commit e1bfe5c
Show file tree
Hide file tree
Showing 9 changed files with 79 additions and 4 deletions.
15 changes: 12 additions & 3 deletions features/fedramp_extensions.feature
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,14 @@ Examples:
| data-center-us-PASS.yaml |
| deployment-mode-FAIL.yaml |
| deployment-mode-PASS.yaml |
| has-authenticator-assurance-level-FAIL.yaml |
| has-authenticator-assurance-level-PASS.yaml |
| has-configuration-management-plan-FAIL.yaml |
| has-configuration-management-plan-PASS.yaml |
| has-federation-assurance-level-FAIL.yaml |
| has-federation-assurance-level-PASS.yaml |
| has-identity-assurance-level-FAIL.yaml |
| has-identity-assurance-level-PASS.yaml |
| has-incident-response-plan-FAIL.yaml |
| has-incident-response-plan-PASS.yaml |
| has-information-system-contingency-plan-FAIL.yaml |
Expand All @@ -71,12 +77,12 @@ Examples:
| resource-has-title-PASS.yaml |
| response-point-FAIL.yaml |
| response-point-PASS.yaml |
| role-defined-system-owner-FAIL.yaml |
| role-defined-system-owner-PASS.yaml |
| role-defined-authorizing-official-poc-FAIL.yaml |
| role-defined-authorizing-official-poc-PASS.yaml |
| role-defined-information-system-security-officer-FAIL.yaml |
| role-defined-information-system-security-officer-PASS.yaml |
| role-defined-system-owner-FAIL.yaml |
| role-defined-system-owner-PASS.yaml |
| scan-type-FAIL.yaml |
| scan-type-PASS.yaml |
| user-type-FAIL.yaml |
Expand Down Expand Up @@ -110,7 +116,10 @@ Examples:
| data-center-country-code |
| data-center-primary |
| deployment-model |
| has-authenticator-assurance-level |
| has-configuration-management-plan |
| has-federation-assurance-level |
| has-identity-assurance-level |
| has-incident-response-plan |
| has-information-system-contingency-plan |
| has-rules-of-behavior |
Expand All @@ -124,9 +133,9 @@ Examples:
| prop-response-point-has-cardinality-one |
| resource-has-base64-or-rlink |
| resource-has-title |
| role-defined-system-owner |
| role-defined-authorizing-official-poc |
| role-defined-information-system-security-officer |
| role-defined-system-owner |
| scan-type |
| user-type |
#END_DYNAMIC_CONSTRAINT_IDS
3 changes: 3 additions & 0 deletions src/validations/constraints/content/ssp-all-VALID.xml
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,9 @@
<prop name='cloud-deployment-model' value='government-only-cloud' ns="https://fedramp.gov/ns/oscal"/>
<prop name='cloud-service-model' value='other' ns="https://fedramp.gov/ns/oscal"/>
<prop name='authorization-type' value='fedramp-agency' ns="https://fedramp.gov/ns/oscal"/>
<prop name="identity-assurance-level" value="2"/>
<prop name="authenticator-assurance-level" value="2"/>
<prop name="federation-assurance-level" value="2"/>
<security-sensitivity-level>moderate</security-sensitivity-level>
<system-information>
<information-type uuid="33333333-0000-4000-9000-000000000003">
Expand Down
11 changes: 10 additions & 1 deletion src/validations/constraints/fedramp-external-constraints.xml
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,18 @@
<expect id="categorization-has-correct-system-attribute" target="./system-characteristics" test="system-information/information-type/categorization/@system eq 'https://doi.org/10.6028/NIST.SP.800-60v2r1'" level="ERROR">
<message>A FedRAMP SSP information-type categorization requires a correct system attribute. FedRAMP only supports the system value 'https://doi.org/10.6028/NIST.SP.800-60v2r1'.</message>
</expect>
<expect id="categorization-has-information-type-id" target="//system-characteristics" test="system-information/information-type/categorization/information-type-id" level="ERROR">
<expect id="categorization-has-information-type-id" target="./system-characteristics" test="system-information/information-type/categorization/information-type-id" level="ERROR">
<message>A FedRAMP SSP information type categorization must have at least one information type identifier.</message>
</expect>
<expect id="has-identity-assurance-level" target="./system-characteristics" test="prop[@name eq 'identity-assurance-level']" level="INFORMATIONAL">
<message>This FedRAMP SSP does define its NIST SP 800-63 identity assurance level (IAL).</message>
</expect>
<expect id="has-authenticator-assurance-level" target="./system-characteristics" test="prop[@name eq 'authenticator-assurance-level']" level="INFORMATIONAL">
<message>This FedRAMP SSP does define its NIST SP 800-63 authenticator assurance level (AAL).</message>
</expect>
<expect id="has-federation-assurance-level" target="./system-characteristics" test="prop[@name eq 'federation-assurance-level']" level="INFORMATIONAL">
<message>This FedRAMP SSP does define its NIST SP 800-63 federation assurance level (IAL).</message>
</expect>
</constraints>
</context>
<context>
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Negative Test for has-authenticator-assurance-level
description: >-
This test case validates the behavior of constraint
has-authenticator-assurance-level
content: ../content/ssp-all-INVALID.xml
expectations:
- constraint-id: has-authenticator-assurance-level
result: fail
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Positive Test for has-authenticator-assurance-level
description: >-
This test case validates the behavior of constraint
has-authenticator-assurance-level
content: ../content/ssp-all-VALID.xml
expectations:
- constraint-id: has-authenticator-assurance-level
result: pass
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Negative Test for has-federation-assurance-level
description: >-
This test case validates the behavior of constraint
has-federation-assurance-level
content: ../content/ssp-all-INVALID.xml
expectations:
- constraint-id: has-federation-assurance-level
result: fail
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Positive Test for has-federation-assurance-level
description: >-
This test case validates the behavior of constraint
has-federation-assurance-level
content: ../content/ssp-all-VALID.xml
expectations:
- constraint-id: has-federation-assurance-level
result: pass
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Negative Test for has-identity-assurance-level
description: >-
This test case validates the behavior of constraint
has-identity-assurance-level
content: ../content/ssp-all-INVALID.xml
expectations:
- constraint-id: has-identity-assurance-level
result: fail
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Positive Test for has-identity-assurance-level
description: >-
This test case validates the behavior of constraint
has-identity-assurance-level
content: ../content/ssp-all-VALID.xml
expectations:
- constraint-id: has-identity-assurance-level
result: pass

0 comments on commit e1bfe5c

Please sign in to comment.