Fix by-component implemented requirement checks #796
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||
|---|---|---|---|---|
| @@ -0,0 +1,36 @@ | ||||
| <system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012"> | ||||
| <control-implementation> | ||||
| <description> | ||||
| <p>Implementation of controls for the Enhanced Example System</p> | ||||
| </description> | ||||
| <implemented-requirement uuid="88888888-0000-4000-9000-000000000008" control-id="ac-1"> | ||||
| <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/> | ||||
| <prop name="implementation-status" value="partial" ns="https://fedramp.gov/ns/oscal"/> | ||||
| <statement statement-id="ac-1_stmt.a" uuid="99999999-0000-4000-9000-000000000009"> | ||||
| </statement> | ||||
| <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="aaaaaaaa-0000-4000-9000-00000000000a"> | ||||
| <description> | ||||
| <p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p> | ||||
| </description> | ||||
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="implemented"/> | ||||
|
There was a problem hiding this comment.
Suggested change
|
||||
| <responsible-role role-id="system-admin"> | ||||
| <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> | ||||
| </responsible-role> | ||||
| </by-component> | ||||
| </implemented-requirement> | ||||
| <implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8"> | ||||
| <prop name="control-origination" value="sp-system" ns="https://fedramp.gov/ns/oscal"/> | ||||
| <statement statement-id="cm-8_stmt.a" uuid="cccccccc-0000-4000-9000-00000000000c"> | ||||
| </statement> | ||||
| <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="dddddddd-0000-4000-9000-00000000000d"> | ||||
| <description> | ||||
| <p>Information System Component Inventory (CM-8) is partially implemented.</p> | ||||
| </description> | ||||
| <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="partial"/> | ||||
|
There was a problem hiding this comment.
Suggested change
|
||||
| <responsible-role role-id="system-admin"> | ||||
| <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> | ||||
| </responsible-role> | ||||
| </by-component> | ||||
| </implemented-requirement> | ||||
| </control-implementation> | ||||
| </system-security-plan> | ||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -192,7 +192,10 @@ | |||||||||||||||||
| <context> | ||||||||||||||||||
| <metapath target="/system-security-plan/control-implementation"/> | ||||||||||||||||||
| <constraints> | ||||||||||||||||||
| <expect id="by-component-requirement-not-inside-statement" target="implemented-requirement" test="not(exists(by-component))"> | ||||||||||||||||||
| <message>A FedRAMP SSP MUST document only a component-based implemented requirement within a specific statement, not at the control level.</message> | ||||||||||||||||||
| </expect> | ||||||||||||||||||
| <expect id="missing-response-components" target="implemented-requirement/statement" test="count(./by-component) gt 0"> | ||||||||||||||||||
|
Comment on lines
+195
to
+198
There was a problem hiding this comment.
Suggested change
|
||||||||||||||||||
| <message>Each implemented requirement must have at least one by-component reference to the source component implementing it.</message> | ||||||||||||||||||
| </expect> | ||||||||||||||||||
| </constraints> | ||||||||||||||||||
|
|
||||||||||||||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| test-case: | ||
| name: Negative Test for by-component-requirement-not-inside-statement | ||
| description: >- | ||
| This test case validates the behavior of constraint | ||
| by-component-requirement-not-inside-statement | ||
| content: ../content/ssp-by-component-requirement-not-inside-statement-INVALID.xml | ||
| expectations: | ||
| - constraint-id: by-component-requirement-not-inside-statement | ||
| result: fail |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| test-case: | ||
| name: Positive Test for by-component-requirement-not-inside-statement | ||
| description: >- | ||
| This test case validates the behavior of constraint | ||
| by-component-requirement-not-inside-statement | ||
| content: ../content/ssp-all-VALID.xml | ||
| expectations: | ||
| - constraint-id: by-component-requirement-not-inside-statement | ||
| result: pass |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Rene2mt, I was working on this later last week and I was surprised this bug fix is a little more confusing than I had once thought. I have a question about how we came to have the
prop[@name="implementation-status"]and not use the dedicatedimplementation-statusassembly? I have been gone a while, but this the prop is also thoroughly documented on our site and the primaryimplementation-status(not the prop) is not documented at all.Do you know if there was/is a reason for this? It is not immediately related to the PR but tests kept failing as I moved that around and this led me to scratch my head.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the
prop[@name="implementation-status"]prop was created because FedRAMP needed a way to specify and/or determine the overall status for a control at thecontrol-implementation/implemented-requirementlevel. Thispropwas also to support scenarios wherecontrol-implementation/implemented-requirementa control has needs to have more than one status specified (e.g., "partial" and "planned"). There is some documentation around this, but it needs to be expanded to clarify the use of the "implementation-status"propat theimplemented-requirementlevel versus the use of theimplementation-statusassembly at theby-componentlevel.New issue #802 is going to explore the scenarios and options for implementation status in FedRAMP OSCAL SSPs. We'll probably draft an ADR for that.