SSP Completeness Checks: Title Page and Section 3 System Information

[brian-ruf]

This is a ...

fix - something needs to be different

This relates to ...

• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

User Story

As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:

• CSP Name
• CSO Name and Short Name
• FedRAMP Package ID
• FIPS PUB 199 Level
• Service Model
• Deployment Model
• Operational Date
• Digital Identity level (DIL)
• Authorization Path
• General System Description
• Title
• Publication Date
• Version
• Revisions
• FedRAMP Version Prop (OSCAL-specific)
• Document sensitivity

Goals

SSP Completeness checks are defined, tested and documented

Dependencies

No response

Acceptance Criteria

• All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
• All constraints associated with the review task have been created
• The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
• The constraint conforms to the FedRAMP Constraint Style Guide.
  • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
• Known good test content is created for unit testing.
• Known bad test content is created for unit testing.
• Unit testing is configured to run both known good and known bad test content examples.
• Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
• A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
• This issue is referenced in the PR.

Other information

No response

Task List

• Add system-characteristics 'has-security' constraints #669
• Add system-characteristics 'cia-has' and 'has-system-name-short' constraints #689
• Add system-characteristics 'has-assurance-level' constraints #701
• Add system-characteristics has-cloud-model constraints #737
• Check a FedRAMP document's metadata for fedramp-version to identify requirements used #789
• Add allowed-values metadata fedramp-version #800
• Check system's operational date in SSP #835
• Check oscal-version against fedramp-version in digital authorization package #833
• SSP Title Page and System Information section documentation updates automate.fedramp.gov#127

[brian-ruf]

Analysis of data needs relative to core OSCAL syntax and FedRAMP OSCAL requirements:

Data	Location	Core OSCAL	legacy constraint	new constraint	notes
CSP Name	//metadata/party[@uuid=[//metadata/responsible-party[@role-id='cloud-service-provider']/party-uuid]]/name	Y	not found	Needed	#874 touches on this, but no issue to directly address it
CSO Name	//system-characteristics/system-name	Y	has-system-name	Dropped	Required Core OSCAL field. No constraint needed.
CSO Short Name	//system-characteristics/system-name-short	Y	has-system-name-short	has-system-name-short	In Progress #689
FedRAMP Package ID	//system-characteristics/system-id[@identifier-type="http://fedramp.gov"]	Y	not found	Needed	Need to finalize or clarify decision on identifier-type value
FIPS PUB 199 Level	//system-characteristics/security-sensitivity-level	Y	has-security-sensitivity-level	has-security-sensitivity-level	Conversion is in progress #669
Service Model	//system-characteristics/prop[@name='cloud-service-model']	Y	has-cloud-service-model	In Progress	#737
Service Model "Other" Explanation	//system-characteristics/prop[@name='cloud-service-model'][@value='other']/remarks		has-cloud-service-model-remarks	In Progress	#737
Deployment Model	//system-characteristics/prop[@name="cloud-deployment-model"]	Y	has-cloud-deployment-model	In Progress	#737
Deployment Model "Other" Explanation	//system-characteristics/prop[@name="cloud-deployment-model"]	Y	has-cloud-deployment-model-remarks	In Progress	#737
Operational Date	//system-characteristics/prop[@name="fully-operational-date"]	N	none found	Needed	#835
Digital Identity level (DIL) IAL	//system-characteristics/prop[@name="identity-assurance-level"]	Y	has-identity-assurance-level	Converted	#701
Digital Identity level (DIL) AAL	//system-characteristics/prop[@name="authenticator-assurance-level"]	Y	has-authenticator-assurance-level	Converted	#701
Digital Identity level (DIL) FAL	//system-characteristics/prop[@name="federation-assurance-level"]	Y	has-federation-assurance-level	Converted	#701
Authorization Path	//system-characteristics/prop[@name="authorization-type"]	N	authorization-type has-authorization-type	Converted	#622
General System Description	//system-characteristics/description	Y	n/a	n/a	Required Core OSCAL field. No constraint needed.
Title	//metadata/title	Y	n/a	n/a	Required Core OSCAL field. No constraint needed.
Publication Date	//metadata/published	Y	none found	Needed	#873
Version	//metadata/version	Y	not found	Needed	#873
Revisions	//metadata/revisions	Y	not found	Defer	Defer detailed checks as this is moderate-effort/low-value
FedRAMP Version Prop	//metadata/prop[@name='fedramp-version'	Y	fedramp-version	In Progress	#789 #800
Document Marking	//metadata/prop[@name='marking']	Y	none found	Needed	#836

[aj-stein-gsa]

@brian-ruf re //metadata/version, beyond existence checking, what can we know about a version? That I have not seen much information about from the CSP or agency perspective on package documents (speaking separately from "public source" catalogs and profiles).

[brian-ruf]

Singularly - not much. Where this will become relevant is with a collection of SSPs related to a single system, in comparision to other versions of the same SSP.

[aj-stein-gsa]

Singularly - not much. Where this will become relevant is with a collection of SSPs related to a single system, in comparision to other versions of the same SSP.

OK, so what would the constraint be, that it isn't empty?

[brian-ruf]

Correct. That's all we can do.

[aj-stein-gsa]

Correct. That's all we can do.

Cool I can write that one up in an issue then.

[brian-ruf]

Analysis of Documentation:

NOTE: Example SSP content is being updated HERE.

Data	Location	Documentation Link	Documentation Notes	Example Updated
CSP Name	//metadata/party[@uuid=[//metadata/responsible-party[@role-id='cloud-service-provider']/party-uuid]]/name	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#cloud-service-provider-csp-name	Good	Y
CSO Name	//system-characteristics/system-name	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-name-abbreviation-and-fedramp-unique-identifier	Good	Y
CSO Short Name	//system-characteristics/system-name-short	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-name-abbreviation-and-fedramp-unique-identifier	Good	Y
FedRAMP Package ID	//system-characteristics/system-id[@identifier-type="https://fedramp.gov"]	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-name-abbreviation-and-fedramp-unique-identifier	Needs identifier type value updated in example Needs identifier type value updated in Allowed Value Needs identifier type value updated in queries	?
FIPS PUB 199 Level	//system-characteristics/security-sensitivity-level	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-sensitivity-level	Good	Y
Service Model	//system-characteristics/prop[@name='cloud-service-model']	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#service-model	Good	Y
Service Model "Other" Explanation	//system-characteristics/prop[@name='cloud-service-model'][@value='other']/remarks	see above	Good	Y
Deployment Model	//system-characteristics/prop[@name="cloud-deployment-model"]	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#deployment-model	Good	Y
Deployment Model "Other" Explanation	//system-characteristics/prop[@name="cloud-deployment-model"]	See above	Good	Y
Operational Date	//system-characteristics/prop[@name="fully-operational-date"]	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-status	Good	Y
Digital Identity level (DIL) IAL	//system-characteristics/prop[@name="identity-assurance-level"]	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#digital-identity-level-dil-determination	Good	Y
Digital Identity level (DIL) AAL	//system-characteristics/prop[@name="authenticator-assurance-level"]	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#digital-identity-level-dil-determination	Good	Y
Digital Identity level (DIL) FAL	//system-characteristics/prop[@name="federation-assurance-level"]	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#digital-identity-level-dil-determination	Good	Y
Authorization Path	//system-characteristics/prop[@name="authorization-type"]	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#federal-authorizing-officials	Need to remove JAB references Need to expand to include other authorization path types. Need to add "Allowed Values" content. This is burried in the Federal Authorizing Officials section. It may benefit from having its own section.	Y
General System Description	//system-characteristics/description	https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-functionality	Good	Y
Title	//metadata/title	https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#title-page	Title page grapic is wrong. Needs to be of the actual SSP template, not generic FedRAMP templates. Need path info	Y
Publication Date	//metadata/published	https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#title-page	Need path info	Y
Version	//metadata/version	https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#title-page	Need path info	Y
Revisions	//metadata/revisions	https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#document-revision-history	Need path info	Y
FedRAMP Version Prop	//metadata/prop[@name='fedramp-version'	NEED DOCUMENTATION	Need path info	Y
Document Marking	//metadata/prop[@name='marking']	https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#title-page	Need path info	Y

[brian-ruf]

Extra comment to call out that the fedramp-version prop is undocumented from a usage perspective.

THIS page describes the Release Strategy and Versioning in general.

The following should be added (perhaps to THIS page):

• the fact that this is a FedRAMP extension that belongs in the metadata
• cardinality, data type and allowed values
• a way for tool developers to know what version(s) our approach uses and under what circumstances

[aj-stein-gsa]

The following should be added (perhaps to THIS page):

There is a queue of changes that need to be deployed from the site into main from develop. See GSA/automate.fedramp.gov#94.