by-component constraint enforced in wrong location

[brian-ruf]

This relates to ...

• the FedRAMP OSCAL Validations

What happened?

The fedramp-external-constraints.xml file includes constraint ID: missing-response-components, which is enforcing the existence of the by-component assembly in the wrong location.

It is requiring at least one by-component assembly as an immediate child to //control-implementation/implemented-requirement. While it is valid OSCAL to have a by-component at this level, FedRAMP requires all responses at the statement level. (//control-implementation/implemented-requirement/statement)

The constraint is currently implemented as follows:

    <context>
        <metapath target="/system-security-plan/control-implementation"/>
        <constraints>
            <expect id="missing-response-components" target="implemented-requirement" test="count(./by-component) gt 0" level="ERROR">
                <formal-name>Missing Response Components</formal-name>
                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#response-overview"/>
                <message>Each implemented requirement MUST have at least one by-component reference to the source component implementing it.</message>
            </expect>
        </constraints>
    </context>

Relevant log output

It is reporting the following error:
> Each implemented requirement MUST have at least one by-component reference to the source component implementing it.

How do we replicate this issue?

Run oscal-cli v 2.2.0 against the example SSP file using the fedramp-external-constraints.xml file in the develop branch.

Observe the error for every control, with a sarif link to the implemented-requirement (indeed, even the error message incorrectly says Each implemented requirement MUST have at least one by-component ...")

Observe the example with by-component consistently present for every control at the statement level.

Where, exactly?

This is enforcing that every control response should be in the context of a component (via the by-component assembly).

Other relevant details

No response

[aj-stein-gsa]

I cannot cross-link for a fork that is not mine it seems, but the branch I discussed linking to is now out of date and we have changed strategy as I touched up this branch, so I am target a fork branch so it will slide in the new approach for integration testing using the "all good Brian SSP example."

wandmagic#18