From ef26bb6df3bd98401044fc7fc6bf870614ca34cb Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <aj@gsa.gov>
Date: Fri, 18 Oct 2024 17:51:32 -0400
Subject: [PATCH] [WIP] No by-component w/o statement for #770

Defining them outside of a statement is syntatically valid, but outside
of FedRAMP best practices and is not accepted. We must add an additional
constraint to indicate this should be removed.

Co-Authored-By: Kylie Hunter <kylie.hunter@gsa.gov>
---
 src/validations/constraints/fedramp-external-constraints.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 7329860f1..3c002d351 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -169,6 +169,9 @@
     <context>
         <metapath target="/system-security-plan/control-implementation"/>
         <constraints>
+            <expect id="implemented-requirement-outside-statement" target="implemented-requirement" test="not(exists(by-component))">
+                <message>A FedRAMP SSP MUST document only a component-based implemented requirement within a specific statement, not at the control level.</message>
+            </expect>
             <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0">
                 <message>Each implemented requirement must have at least one by-component reference to the source component implementing it.</message>
             </expect>