Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add system-characteristics 'has-assurance-level' constraints #701

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions features/fedramp_extensions.feature
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,14 @@ Examples:
| data-center-us-PASS.yaml |
| deployment-mode-FAIL.yaml |
| deployment-mode-PASS.yaml |
| has-authenticator-assurance-level-FAIL.yaml |
| has-authenticator-assurance-level-PASS.yaml |
| has-configuration-management-plan-FAIL.yaml |
| has-configuration-management-plan-PASS.yaml |
| has-federation-assurance-level-FAIL.yaml |
| has-federation-assurance-level-PASS.yaml |
| has-identity-assurance-level-FAIL.yaml |
| has-identity-assurance-level-PASS.yaml |
| has-incident-response-plan-FAIL.yaml |
| has-incident-response-plan-PASS.yaml |
| has-information-system-contingency-plan-FAIL.yaml |
Expand All @@ -71,12 +77,12 @@ Examples:
| resource-has-title-PASS.yaml |
| response-point-FAIL.yaml |
| response-point-PASS.yaml |
| role-defined-system-owner-FAIL.yaml |
| role-defined-system-owner-PASS.yaml |
| role-defined-authorizing-official-poc-FAIL.yaml |
| role-defined-authorizing-official-poc-PASS.yaml |
| role-defined-information-system-security-officer-FAIL.yaml |
| role-defined-information-system-security-officer-PASS.yaml |
| role-defined-system-owner-FAIL.yaml |
| role-defined-system-owner-PASS.yaml |
| scan-type-FAIL.yaml |
| scan-type-PASS.yaml |
| user-type-FAIL.yaml |
Expand Down Expand Up @@ -110,7 +116,10 @@ Examples:
| data-center-country-code |
| data-center-primary |
| deployment-model |
| has-authenticator-assurance-level |
| has-configuration-management-plan |
| has-federation-assurance-level |
| has-identity-assurance-level |
| has-incident-response-plan |
| has-information-system-contingency-plan |
| has-rules-of-behavior |
Expand All @@ -124,9 +133,9 @@ Examples:
| prop-response-point-has-cardinality-one |
| resource-has-base64-or-rlink |
| resource-has-title |
| role-defined-system-owner |
| role-defined-authorizing-official-poc |
| role-defined-information-system-security-officer |
| role-defined-system-owner |
| scan-type |
| user-type |
#END_DYNAMIC_CONSTRAINT_IDS
3 changes: 3 additions & 0 deletions src/validations/constraints/content/ssp-all-VALID.xml
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,9 @@
<prop name='cloud-deployment-model' value='government-only-cloud' ns="https://fedramp.gov/ns/oscal"/>
<prop name='cloud-service-model' value='other' ns="https://fedramp.gov/ns/oscal"/>
<prop name='authorization-type' value='fedramp-agency' ns="https://fedramp.gov/ns/oscal"/>
<prop name="identity-assurance-level" value="2"/>
<prop name="authenticator-assurance-level" value="2"/>
<prop name="federation-assurance-level" value="2"/>
<security-sensitivity-level>moderate</security-sensitivity-level>
<system-information>
<information-type uuid="33333333-0000-4000-9000-000000000003">
Expand Down
11 changes: 10 additions & 1 deletion src/validations/constraints/fedramp-external-constraints.xml
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,18 @@
<expect id="categorization-has-correct-system-attribute" target="./system-characteristics" test="system-information/information-type/categorization/@system eq 'https://doi.org/10.6028/NIST.SP.800-60v2r1'" level="ERROR">
<message>A FedRAMP SSP information-type categorization requires a correct system attribute. FedRAMP only supports the system value 'https://doi.org/10.6028/NIST.SP.800-60v2r1'.</message>
</expect>
<expect id="categorization-has-information-type-id" target="//system-characteristics" test="system-information/information-type/categorization/information-type-id" level="ERROR">
<expect id="categorization-has-information-type-id" target="./system-characteristics" test="system-information/information-type/categorization/information-type-id" level="ERROR">
<message>A FedRAMP SSP information type categorization must have at least one information type identifier.</message>
</expect>
<expect id="has-identity-assurance-level" target="./system-characteristics" test="prop[@name eq 'identity-assurance-level']" level="INFORMATIONAL">
<message>This FedRAMP SSP does define its NIST SP 800-63 identity assurance level (IAL).</message>
</expect>
<expect id="has-authenticator-assurance-level" target="./system-characteristics" test="prop[@name eq 'authenticator-assurance-level']" level="INFORMATIONAL">
<message>This FedRAMP SSP does define its NIST SP 800-63 authenticator assurance level (AAL).</message>
</expect>
<expect id="has-federation-assurance-level" target="./system-characteristics" test="prop[@name eq 'federation-assurance-level']" level="INFORMATIONAL">
<message>This FedRAMP SSP does define its NIST SP 800-63 federation assurance level (IAL).</message>
</expect>
</constraints>
</context>
<context>
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Negative Test for has-authenticator-assurance-level
description: >-
This test case validates the behavior of constraint
has-authenticator-assurance-level
content: ../content/ssp-all-INVALID.xml
expectations:
- constraint-id: has-authenticator-assurance-level
result: fail
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Positive Test for has-authenticator-assurance-level
description: >-
This test case validates the behavior of constraint
has-authenticator-assurance-level
content: ../content/ssp-all-VALID.xml
expectations:
- constraint-id: has-authenticator-assurance-level
result: pass
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Negative Test for has-federation-assurance-level
description: >-
This test case validates the behavior of constraint
has-federation-assurance-level
content: ../content/ssp-all-INVALID.xml
expectations:
- constraint-id: has-federation-assurance-level
result: fail
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Positive Test for has-federation-assurance-level
description: >-
This test case validates the behavior of constraint
has-federation-assurance-level
content: ../content/ssp-all-VALID.xml
expectations:
- constraint-id: has-federation-assurance-level
result: pass
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Negative Test for has-identity-assurance-level
description: >-
This test case validates the behavior of constraint
has-identity-assurance-level
content: ../content/ssp-all-INVALID.xml
expectations:
- constraint-id: has-identity-assurance-level
result: fail
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Positive Test for has-identity-assurance-level
description: >-
This test case validates the behavior of constraint
has-identity-assurance-level
content: ../content/ssp-all-VALID.xml
expectations:
- constraint-id: has-identity-assurance-level
result: pass
Loading