SSP Completeness Checks: Appendices B Acronyms & L Laws and Regulations

[brian-ruf]

This is a ...

fix - something needs to be different

This relates to ...

• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

User Story

As a consumer of FedRAMP automated completeness checks I want the following OSCAL-based SSP items to be automatically verified for completeness by metaschema constraints:

• Check for standard FedRAMP attachments
• Look for CSP additions

Goals

SSP Completeness checks are defined, tested and documented

Dependencies

No response

Acceptance Criteria

• All FedRAMP Documents Related to OSCAL Adoption (https://github.com/GSA/fedramp-automation) affected by the changes in this issue have been updated.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• all constraints associated with the review task have been converted/created
• automate.fedramp.gov content has been updated accordingly
• the metaschema help prop has an appropriate link to the constraint
• the template has an content that models the desired OSCAL presentation
• the constraint runs against the example template
• known-bad content has been created
• the constraint appropriately flags the known-bad content as invalid

Other information

No response

[brian-ruf]

Analysis

The FedRAMP PMO no longer maintains/publishes the FedRAMP Master Acronym and Glossary. As such the requirement for a reference to this document is dropped.
This simply needs to check for a back-matter resource that includes a link to the FedRAMP Laws and Regulations.

The importance of its presence is when OSCAL SSP content is passed to other interested parties, such as assessors or Agencies, the content includes up-to-date links to the list of FedRAMP Laws and Regulations.

The resources MUST have:

• title
• a "type" property with an @value attribute set to "citation" and an @class attribute set to "fedramp-citations"
• an rlink with an @href that links to the appropriate artifact on fedramp.gov ( https://www.fedramp.gov/assets/resources/templates/FedRAMP-Laws-Regulations-Standards-and-Guidance-Reference.xlsx)

[brian-ruf]

Constraints Definition

• DROP any checks for FedRAMP acronyms

context="/system-security-plan/resource"

• Check for a resource with the appropriate "type" property and attributes (ERROR)

  • target="."
  • count(.[./prop[@name='type' and @value='citation' and @class='fedramp-citations']]) = 1
  • Error Message: There must be exactly one resource with a link to the FedRAMP Laws, Regulations, Standards and Guidance. None found.

• Check that the above resource has an rlink/@href value set to https://www.fedramp.gov/assets/resources/templates/FedRAMP-Laws-Regulations-Standards-and-Guidance-Reference.xlsx

  • target="."
  • count(//resource[./prop[@name='type' and @value='citation' and @class='fedramp-citations']]/rlink[@href='https://www.fedramp.gov/assets/resources/templates/FedRAMP-Laws-Regulations-Standards-and-Guidance-Reference.xlsx']) = 1
  • Error Message: The resource with the FedRAMP Laws, Regulations, Standards and Guidance is present; however, the link is incorrect.

[brian-ruf]

@aj-stein-gsa / @Rene2mt - this is ready, but small. I'm going to change it to a task and put it up for work.

[brian-ruf]

@brian-ruf to revisit this to consider CSP-added acronyms.