Authentication Method Constraint for Leveraged Authorizations and External, Interconnected, and Unauthorized Systems

[brian-ruf]

Constraint Task

Ensure the "authentication-method" prop/extension is present in appropriate components dealing with leveraged systems, interconnections, and authorized services.

Intended Outcome

Check for the existence of the "user-authentication" property (cardinality 1 or more) within components that meet any one of the following criteria:

• a "system" component representing a leveraged system (contains a "leveraged-authorization-uuid" property)
• a "service" component with an external implementation point, and WITHOUT a "leveraged-authorization-uuid" property, because it is either a non-authorized service of a leveraged system or it provided by an external system other than the leveraged system.
• an "interconnection" component
• a "service" component with an internal implementation point, and a "direction" property, indicating this service is offered by this system in a way that allows external systems/users to connect.
• a "software" component with an asset type of "cli" and a "direction" property indicating the CLI communicates across the boundary.

Syntax Type

This is a FedRAMP constraint in the FedRAMP-specific namespace.

Allowed Values

FedRAMP allowed values must be defined or verified.

Metapath(s) to Content

target = "//component[
   (@type='system' and ./prop[@name='leveraged-authorization-uuid'])
or
   (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and  ./prop[@name='implementation-point' and @value='external'])
or
   (@type='interconnection')
or 
   (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction'])
or
   (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])
]"

Constraint:

count(./prop[@name='authentication-method']) = 1

Purpose of the OSCAL Content

Documents the existence and nature of any authentication method associated with communication that crosses the authorization boundary. This could be user or system authentication.

Dependencies

No response

Acceptance Criteria

• All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
  • Explanation is present and accurate
  • sample content is present and accurate
  • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
• All constraints associated with the review task have been created
• The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
• The constraint conforms to the FedRAMP Constraint Style Guide.
  • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
• Known good test content is created for unit testing.
• Known bad test content is created for unit testing.
• Unit testing is configured to run both known good and known bad test content examples.
• Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
• A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
• This issue is referenced in the PR.

Other information

No response

[brian-ruf]

@Gabeblis unfortunately we need to revise the target for this constraint as follows:

target="//component[

   (@type='system' and ./prop[@name='leveraged-authorization-uuid'])

or

   (@type='interconnection')
   
or

   (@type=('service', 'software') and not(./prop[@name='leveraged-authorization-uuid']) and  ./prop[@name='implementation-point' and @value='external'])

or

   (@type=('service', 'software') and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal'])

]"

[Gabeblis]

@Gabeblis unfortunately we need to revise the target for this constraint as follows:

target="//component[

   (@type='system' and ./prop[@name='leveraged-authorization-uuid'])

or

   (@type='interconnection')
   
or

   (@type=('service', 'software') and not(./prop[@name='leveraged-authorization-uuid']) and  ./prop[@name='implementation-point' and @value='external'])

or

   (@type=('service', 'software') and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='communicates-externally' and @value='yes' and @ns='http://fedramp.gov/ns/oscal'])

]"

Ok, resolved in #974.