Fix by-component implemented requirement checks #796
Conversation
aj-stein-gsa
force-pushed
the
770-fix-by-component-statement-checks
branch
from
ef26bb6 to
cefbf1b
Compare
| @@ -212,31 +212,31 @@ | |||
| <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/> | |||
| <prop name="implementation-status" value="partial" ns="https://fedramp.gov/ns/oscal"/> | |||
There was a problem hiding this comment.
@Rene2mt, I was working on this later last week and I was surprised this bug fix is a little more confusing than I had once thought. I have a question about how we came to have the prop[@name="implementation-status"] and not use the dedicated implementation-status assembly? I have been gone a while, but this the prop is also thoroughly documented on our site and the primary implementation-status (not the prop) is not documented at all.
Do you know if there was/is a reason for this? It is not immediately related to the PR but tests kept failing as I moved that around and this led me to scratch my head.
There was a problem hiding this comment.
I believe the prop[@name="implementation-status"] prop was created because FedRAMP needed a way to specify and/or determine the overall status for a control at the control-implementation/implemented-requirement level. This prop was also to support scenarios where control-implementation/implemented-requirement a control has needs to have more than one status specified (e.g., "partial" and "planned"). There is some documentation around this, but it needs to be expanded to clarify the use of the "implementation-status" prop at the implemented-requirement level versus the use of the implementation-status assembly at the by-component level.
New issue #802 is going to explore the scenarios and options for implementation status in FedRAMP OSCAL SSPs. We'll probably draft an ADR for that.
| @@ -212,31 +212,31 @@ | |||
| <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/> | |||
| <prop name="implementation-status" value="partial" ns="https://fedramp.gov/ns/oscal"/> | |||
There was a problem hiding this comment.
I believe the prop[@name="implementation-status"] prop was created because FedRAMP needed a way to specify and/or determine the overall status for a control at the control-implementation/implemented-requirement level. This prop was also to support scenarios where control-implementation/implemented-requirement a control has needs to have more than one status specified (e.g., "partial" and "planned"). There is some documentation around this, but it needs to be expanded to clarify the use of the "implementation-status" prop at the implemented-requirement level versus the use of the implementation-status assembly at the by-component level.
New issue #802 is going to explore the scenarios and options for implementation status in FedRAMP OSCAL SSPs. We'll probably draft an ADR for that.
| <description> | ||
| <p>Information System Component Inventory (CM-8) is partially implemented.</p> | ||
| </description> | ||
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/> |
There was a problem hiding this comment.
Use the implementations-status assembly inside the by-component, however, it is optional.
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/> |
| <responsible-role role-id="system-admin"> | ||
| <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> | ||
| </responsible-role> | ||
| </by-component> | ||
| </implemented-requirement> | ||
|
|
||
| <implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8"> | ||
| <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/> |
There was a problem hiding this comment.
| <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/> | |
| <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/> | |
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/> |
| <description> | ||
| <p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p> | ||
| </description> | ||
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/> |
There was a problem hiding this comment.
Use the implementations-status assembly inside the by-component, however, it is optional.
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/> |
| <expect id="by-component-requirement-not-inside-statement" target="implemented-requirement" test="not(exists(by-component))"> | ||
| <message>A FedRAMP SSP MUST document only a component-based implemented requirement within a specific statement, not at the control level.</message> | ||
| </expect> | ||
| <expect id="missing-response-components" target="implemented-requirement/statement" test="count(./by-component) gt 0"> |
There was a problem hiding this comment.
| <expect id="by-component-requirement-not-inside-statement" target="implemented-requirement" test="not(exists(by-component))"> | |
| <message>A FedRAMP SSP MUST document only a component-based implemented requirement within a specific statement, not at the control level.</message> | |
| </expect> | |
| <expect id="missing-response-components" target="implemented-requirement/statement" test="count(./by-component) gt 0"> | |
| <expect id="by-component-requirement-not-inside-statement" target="implemented-requirement" test="not(exists(by-component))" level="ERROR"> | |
| <message>A FedRAMP SSP MUST document only a component-based implemented requirement within a specific statement, not at the control level.</message> | |
| </expect> | |
| <expect id="missing-response-components" target="implemented-requirement/statement" test="count(./by-component) gt 0" level="ERROR"> |
| <description> | ||
| <p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p> | ||
| </description> | ||
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/> |
There was a problem hiding this comment.
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/> |
| <description> | ||
| <p>Information System Component Inventory (CM-8) is partially implemented.</p> | ||
| </description> | ||
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/> |
There was a problem hiding this comment.
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/> |
Defining them outside of a statement is syntatically valid, but outside of FedRAMP best practices and is not accepted. We must add an additional constraint to indicate this should be removed. Co-Authored-By: Kylie Hunter <[email protected]>
aj-stein-gsa
force-pushed
the
770-fix-by-component-statement-checks
branch
from
cefbf1b to
108feca
Compare
|
I am working on integrating Rene's feedback and reviewing the documentation to fix the test. His feedback was very helpful, but we found an unrelated bug when looking into errors with Thanks to Kylie for opening that issue in #818. |
|
Closing this, will reopen on same PR when I am back into it. |
Committer Notes
Fixes #770.
All Submissions:
If applicable, have all FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated?If applicable, does this PR reference the issue it addresses and explain how it addresses the issue?By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.