From 108feca1bc4ae78e9f8c70fa80805f33eb4ae69b Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Fri, 18 Oct 2024 17:51:32 -0400 Subject: [PATCH] [WIP] No by-component w/o statement for #770 Defining them outside of a statement is syntatically valid, but outside of FedRAMP best practices and is not accepted. We must add an additional constraint to indicate this should be removed. Co-Authored-By: Kylie Hunter --- features/fedramp_extensions.feature | 3 ++ .../constraints/content/ssp-all-VALID.xml | 36 +++++++++---------- ...quirement-not-inside-statement-INVALID.xml | 36 +++++++++++++++++++ .../fedramp-external-constraints.xml | 5 ++- ...requirement-not-inside-statement-FAIL.yaml | 9 +++++ ...requirement-not-inside-statement-PASS.yaml | 9 +++++ 6 files changed, 79 insertions(+), 19 deletions(-) create mode 100644 src/validations/constraints/content/ssp-by-component-requirement-not-inside-statement-INVALID.xml create mode 100644 src/validations/constraints/unit-tests/by-component-requirement-not-inside-statement-FAIL.yaml create mode 100644 src/validations/constraints/unit-tests/by-component-requirement-not-inside-statement-PASS.yaml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 940766489..b72e992fd 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -21,6 +21,8 @@ Examples: | attachment-type-PASS.yaml | | authorization-type-FAIL.yaml | | authorization-type-PASS.yaml | + | by-component-requirement-not-inside-statement-FAIL.yaml | + | by-component-requirement-not-inside-statement-PASS.yaml | | categorization-has-correct-system-attribute-FAIL.yaml | | categorization-has-correct-system-attribute-PASS.yaml | | categorization-has-information-type-id-FAIL.yaml | @@ -165,6 +167,7 @@ Examples: | address-type | | attachment-type | | authorization-type | + | by-component-requirement-not-inside-statement | | categorization-has-correct-system-attribute | | categorization-has-information-type-id | | cloud-service-model | diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml index 12478cc2f..0721f0bb7 100644 --- a/src/validations/constraints/content/ssp-all-VALID.xml +++ b/src/validations/constraints/content/ssp-all-VALID.xml @@ -213,31 +213,31 @@ + + +

Access Control Policy and Procedures (AC-1) is fully implemented in our system.

+ + + + 11111111-0000-4000-9000-000000000001 + + - - -

Access Control Policy and Procedures (AC-1) is fully implemented in our system.

- - - - 11111111-0000-4000-9000-000000000001 - - + + +

Information System Component Inventory (CM-8) is partially implemented.

+ + + + 11111111-0000-4000-9000-000000000001 + + - - -

Information System Component Inventory (CM-8) is partially implemented.

- - - - 11111111-0000-4000-9000-000000000001 - - diff --git a/src/validations/constraints/content/ssp-by-component-requirement-not-inside-statement-INVALID.xml b/src/validations/constraints/content/ssp-by-component-requirement-not-inside-statement-INVALID.xml new file mode 100644 index 000000000..1d70cdf04 --- /dev/null +++ b/src/validations/constraints/content/ssp-by-component-requirement-not-inside-statement-INVALID.xml @@ -0,0 +1,36 @@ + + + +

Implementation of controls for the Enhanced Example System

+ + + + + + + + +

Access Control Policy and Procedures (AC-1) is fully implemented in our system.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + +

Information System Component Inventory (CM-8) is partially implemented.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + \ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index fa2dda45e..f77afb86d 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -192,7 +192,10 @@ - + + A FedRAMP SSP MUST document only a component-based implemented requirement within a specific statement, not at the control level. + + Each implemented requirement must have at least one by-component reference to the source component implementing it. diff --git a/src/validations/constraints/unit-tests/by-component-requirement-not-inside-statement-FAIL.yaml b/src/validations/constraints/unit-tests/by-component-requirement-not-inside-statement-FAIL.yaml new file mode 100644 index 000000000..f61f5dda0 --- /dev/null +++ b/src/validations/constraints/unit-tests/by-component-requirement-not-inside-statement-FAIL.yaml @@ -0,0 +1,9 @@ +test-case: + name: Negative Test for by-component-requirement-not-inside-statement + description: >- + This test case validates the behavior of constraint + by-component-requirement-not-inside-statement + content: ../content/ssp-by-component-requirement-not-inside-statement-INVALID.xml + expectations: + - constraint-id: by-component-requirement-not-inside-statement + result: fail diff --git a/src/validations/constraints/unit-tests/by-component-requirement-not-inside-statement-PASS.yaml b/src/validations/constraints/unit-tests/by-component-requirement-not-inside-statement-PASS.yaml new file mode 100644 index 000000000..1db9c54e6 --- /dev/null +++ b/src/validations/constraints/unit-tests/by-component-requirement-not-inside-statement-PASS.yaml @@ -0,0 +1,9 @@ +test-case: + name: Positive Test for by-component-requirement-not-inside-statement + description: >- + This test case validates the behavior of constraint + by-component-requirement-not-inside-statement + content: ../content/ssp-all-VALID.xml + expectations: + - constraint-id: by-component-requirement-not-inside-statement + result: pass