Each Interconnection, Service, or Software Connecting to an External Systems Must be Linked to a POA&M Entry

[aj-stein-gsa]

Constraint Task

For each interconnection, service, or software connecting to an external system, there must be an entry in the POA&M. For Stage 1 of our strategy we are only focused on completeness checks, thus we are only ensuring the link to the POA&M entry exists, and references the appropriate back-matter resource.

Intended Outcome

There must be exactly one "poam-item" link that exists as follows:

• the rel must have the value poam-item
• the href must include a URI fragment that references a back-matter resource.
• the referenced resource must exist and must be a POA&M in either legacy/Excel or OSCAL.
• the resource-fragment must be present

If the POA&M is in legacy/Excel format, the resource-fragment value will include the unique identifier as required by the FedRAMP CSP_POAM_Template_Completion_Guide. (Column A - POA&M ID).

If the POA&M is in OSCAL format, the resource-fragment value will include the poam-item/@uuid value.

Syntax Type

This uses core OSCAL syntax with a FedRAMP defined value and linkage.

Allowed Values

In addition to core-OSCAL-defined allowed values for a component/link/@rel, a poam-item allowed value must be enumerated with the following text: "The link identifies the POA&M item that quantifies risk associated with this interface."

Metapath(s) to Content

Metapath context target

//component[ (@type='service'  and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction']) ]

Constraint requirement: there must be at least one "poam-item" link. It must have:

• `rel='poam-item'
• resource-fragment with a string value
  • The value could be either a poam-item UUID for OSCAL POA&Ms or some other unique identifier for legacy POA&MS
  • We are not checking the value of the resource-fragment at this time
  • We will address this in Stage 2: Data and Referential Integrity
• Either:
  • href with either a fully resolvable URI; or
  • a URI fragment that points to a back-matter resource
    • the back-matter resource must be a POA&M

doc-available(//component/link[@rel='poam-item' and @href and @resource-fragment and not(starts-with(@href, "#"))]/@href)   or
   ( count(//resource[@uuid=substring-after(//component/link[@rel='poam-item' and @href and @resource-fragment and starts-with(@href, "#")]/@href, "#") and ./prop[@name='type' and @value='plan' and @class='poam']])  = 1)

Purpose of the OSCAL Content

No response

Dependencies

No response

Acceptance Criteria

• All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
  • Explanation is present and accurate
  • sample content is present and accurate
  • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
• All constraints associated with the review task have been created
• The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
• The constraint conforms to the FedRAMP Constraint Style Guide.
  • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
• Known good test content is created for unit testing.
• Known bad test content is created for unit testing.
• Unit testing is configured to run both known good and known bad test content examples.
• Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
• A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
• This issue is referenced in the PR.

Other information

This task is part of #808

[brian-ruf]

Slightly revising this. It will be a "risk-present" property/extension with allowed values of "yes" and "no". If the value is "no", the remarks field is also required.

[brian-ruf]

As documented in #935, the modeling for this just became much simpler. We have learned from the review team that every entry in Table 7.1 should always have a corresponding POA&M entry, which is the source of the risk information.

The "risk", "mitigation" and "impact" properties are being eliminated, as is the consideration for a "risk-present" property.

Now we simply need to check for exactly one link with a rel of "poam-item"

[brian-ruf]

This has been fully revised and is ready for work.

[brian-ruf]

The path here needs to be simplified, and allow other constraints to enforce whether the field should be present or not.

Simply use:
So this should be:

• metapath target='/system-security-plan/system-implementation/component/link[@rel='poam-item']'

We are still looking at the @href and @resource-fragment the same way.